Anyone heard of Open Bug Bounty? Are they ransomware?

[kuau]

I received a series of emails from some guy informing me that my site had Open Bug Bounty - Security Vulnerability Notification | Confidential & Important (see below). So I replied and the guy asked for money for his report. I'm not sure how to "sanitize the input values and make forbidden all special characters." I tried using htmlspecialcharacters but broke the code. This site has been up since 2008 with nobody bothering it. Now this guy pretending to be helping me is causing a crisis for me. Why would Google be paying people to submit vulnerable sites? What can I do? I don't make any money from this site. It is a community calendar I do as a public service. It costs me enough as it is without some creep shaking me down. How can I prevent someone from adding crap to the query string? This is very discouraging for someone just trying to do a good thing for my community. Thanks for any help.

Reflected Cross site scripting
-------------

Hi,

This is Reflected cross site scripting on https://[mysite].com startdate= endpoint. That lead to execute javascript code on behalf of victims browsers.

Endpoint : “startdate=”
Xss url:
https://[mysite].com/php/week.php?st...XSS/)%3Eweb%22


Steps to reproduce:
1 : Add xss payload at startdate= endpoint
2 : Open in browser or send this to victim
3 : While open url, Xss will trigger out

https://[mysite].com/php/week.php?st...XSS/)%3Eweb%22

PoC:
Screenshot from 2021-07-02 20-33-36.png

Fix:
Sanitize the input values, and make forbidden all special characters.


Thanks!

What is this about? What security vulnerability are you referring to? I am not aware of any problems with this site.


-------- Forwarded Message --------
Subject: Open Bug Bounty - mysite.com Security Vulnerability Notification | Confidential & Important
Date: Fri, 02 Jul 2021 02:59:09 +0000
From: OpenBugBounty.org <no-reply@openbugbounty.org>
To: info@mysite.com


OpenBugBounty
Making web a safer place

Website Security Vulnerability Notification
Dear Security Team,

We would like to inform you that a security vulnerability affecting [mysite].com website was reported via Open Bug Bounty coordinated and responsible disclosure program. Submission details are available here: https://www.openbugbounty.org/reports/*******/

Following the ISO/IEC 29147 (“Information technology — Security techniques — Vulnerability disclosure”) guidelines, we verified the vulnerability's existence prior to notifying you. Please contact the security researcher directly for technical details of the vulnerability, his/her profile is available on the submission page. The researcher may also help remediate the vulnerability if you need any assistance. If you received this notification by error, please accept our apologizes and forward it to your IT security team or a person in charge of your website security.

For additional information about the non-profit Open Bug Bounty project please refer to: https://www.openbugbounty.org/open-bug-bounty/
Best regards,
Open Bug Bounty Team
Making Web a Safer Place © 2014-2021

DISCLAIMER: Open Bug Bounty is a non-profit project, we never act as an intermediary between website owners and security researchers. We have no relationship or control over the researchers. Our role is limited to independent verification of the submitted reports and proper notification of website owners by all reasonably available means.

[keyboard]

Note: I've removed all references I could find to your site (in your other post) as the vulnerability is still active.


There are some significant issues present in the code you provided in your other post.

PHP Code:

$getdate = $_GET['startdate']; 


Here you're setting the value of $getdate to whatever the value of startdate is in the url parameters.

PHP Code:

$sql = "SELECT DISTINCT event_id, ev_title, startdate, starttime, endtime
                FROM  event
                WHERE approved = 1 AND (`startdate` = '".$getdate."' 
                OR (".$dow." = 1 AND `oge` = 2) 
        OR (recur = 1 AND startdate <= '".$getdate."' AND `enddate` >= '".$getdate."' ) 


Here you're using the value from $getdate directly in your SQL query. As there's no sanitisation of data, so you're likely vulnerable to sql injection.
They could basically run any SQL query they want against your database, which is likely how they got your password.


The second vulnerability mentioned is a reflected XSS attack.
The code that is causing this vulnerability isn't included in the sample you provided; however, I have checked and the page is definitely succeptable.
This is because you're displaying the user's content on the page somewhere without sanitising it. This allows the user to include javascript in their content, and it will be executed when the page is visited.



So, given the two issues described above, here is some information to help you -

1. As a first step, I would always take any page that has security vulnerabilities offline until it can be secured.
   
2. You need to santise all user inputs before they go anywhere near an SQL query. You should be using mysqli_real_escape_string on all inputs that come from the user before they go near your database(s). This will block most injections, but not all. You should also validate any user data before it is added. In this instance, the value of $_GET['startdate'] should be in the format yyyy-mm-dd, so you can remove any characters that aren't numbers or hyphens. You could also run a regex to ensure the dates are entered in that format. Either way, you should validate all user input (as well as escaping it).
   
3. You need to escape all user data before displaying it on the page. At some point in your code, you're echoing the value of $_GET['startdate']. You need to clean this input first. In PHP, the function to safely remove any HTML code in a value is htmlspecialchars($str);
   
4. Regarding OpenBugBounty - They are a non-profit that helps security researchers report exploits to website owners. They encourage website owners to say thank you, or reward vulnerability reporters; however, there is no obligation to do so, and if anyone does demand payment they should be reported to OpenBugBounty as that is not allowed.
   
5. I strongly believe that reporting vulnerabilies should be encouraged, so I try to encourage people to be kind in these instances. Unfortunately, large companies tend to dislike people finding exploits, and they have been known to file charges. Don't be like that!
   
6. HOWEVER, I would suggest that it is highly inappropriate for a researcher to access data of a site they breached. They should use the minimum amount of intrusion possible to detect and report exploits, and locating and sending the administrator's password is firmly not ok (not to mention that it's a crime).
   
7. If the reporter was able to send you a copy of your password, that indicates a further issue. Your password shouldn't be available in your database, only hashed/salted copies of passwords should be stored. It is vital for security that plaintext passwords are not stored because of the potential ramifications if there is a security breach (any users who share passwords across different sites would be in big trouble).
   
8. I would recommend looking through your existing code and implementing escaping, validation and sanitisation across all. It is likely that there will be other vulnerable scripts as well. There are some automated tools that may help with this. On that note, the reporter used a tool (scant3r?) to automatedly find the exploit.
   
9. You should confirm what data the reporter accessed on the system, as that is a big no no. I would definitely recommend trying to stay polite, but in my professional opinion it is unacceptable.
   
10. Finally, you should change all passwords for your website and inspect any database/server logs to see if there have been any breaches in the past/etc.

I know it's a lot of information, so try not to get overwhelmed! Just work your way through, and if you have any questions please ask.
I may have missed some things and been incorrect on others. It's quite late here now, so my apologies if that is the case!

[kuau]

Dear keyboard: Thank you so much for your informative answer! Sorry for the delayed response... I was dealing with multiple crises but managed to do some. I have read up on SQL injection (scary!). I actually thought the code was safe but now I understand how they do it. They guy who hacked my site (Dipu) not only sent me my password, he sent my full name, phone number, and dumped ALL the data and sent me a listing of all the fields in every table! To say this was alarming is an understatement. Then he asked for money. I asked if he was threatening me and he said he didn't demand money, he was just asking. I thanked him and apologized if I offended him, but should I report him to OBS? What is the difference between a good guy asking for money or else and a bad guy asking for money or else? The result is the same. I am not impressed with the way they go about their supposedly good mission. I also don't like that Google incentivizes them by paying them to find vulnerable sites. Who made Google the code police as well as the thought police?

Anyway, for years I have been using addslashes in contact forms to escape apostrophes and don't 100% understand the difference between addslashes and mysqli_real_escape_string. Will this work to ensure getdate is a date?

Code:

	$getdate = DATE($_GET['startdate']);

Is this how to sanitize input?

Code:

$ev_contact  = htmlspecialchars($_POST['ev_contact']);

I do use dates in yyyy-mm-dd format but I googled regex but can't figure out what "run a regex" means. Sorry. I wish dynamic drive would not label me "Senior Coder." I may have been around for a long time but I am still just as dumb. I am a good mimic, ie. if I see an example of correct code, I can utilize the code in other instances but I am not good at originating the code. I'm pretty good at making a site look pretty, but php is mostly a means to an end for me. I'm not very conversant with the language itself. Too busy providing the content for the sites to help people's small businesses. You guys are the pros. I would be lost without you. Mahalo plenty for helping me make my code safe.

How about this as a way to make sure $getdate is a valid date...

Code:

$today = date ('Y-m-d'); $weekdate = strtoupper(date('F j, Y')); $dow = strtolower(date('D'));
if(isset($_GET['startdate']) && $_GET['startdate'] != '' && (strtotime($_GET['startdate'])){
	$getdate = $_GET['startdate'];
	$weekdate = strtoupper(date('F j, Y', strtotime($getdate)));
} else {
	$getdate = $today;
}

[keyboard]

Dear keyboard: Thank you so much for your informative answer!

No problem!

They guy who hacked my site (Dipu) not only sent me my password, he sent my full name, phone number, and dumped ALL the data and sent me a listing of all the fields in every table! To say this was alarming is an understatement.

In my opinion that is highly inappropriate; it could be justified accessing some data in the for exploratory purposes, but there's a big difference between testing an SQL injection and actually dumping data from the database and storing it (you said he sent you copies of your own data).
It is a bit of a grey area, as we don't want to discourage security testers from reporting vulnerabilities, but accessing and storing data is absolutely not acceptable. I'd definitely be asking them what data they accessed and whether they made copies of any of it. If you have database logs you should check those too.

Then he asked for money. I asked if he was threatening me and he said he didn't demand money, he was just asking.

They can definitely ask for money, just like you could ask for money if you told someone their car was unlocked (don't read into this example too much, because I've never seen someone getting paid for an unlocked car... but bounties do sometimes earn money hahaha).
It's nice to reward people who do the right thing, to encourage good behaviour in the future, but there is no obligation to do so.

I thanked him and apologized if I offended him, but should I report him to OBS? What is the difference between a good guy asking for money or else and a bad guy asking for money or else? The result is the same. I am not impressed with the way they go about their supposedly good mission.

I'm not sure about this one. Personally, data access is a big no in my books, but they didn't explicitly demand money with a threat. A lot of the difference is in the approach. There's a line between extortsion and encouraging compensation.
It's worth noting that they don't represent Open Bug Bounty. Anyone can sign up. It's more of a framework/platform to let individuals report via.

I also don't like that Google incentivizes them by paying them to find vulnerable sites. Who made Google the code police as well as the thought police?

I don't quite follow sorry. As far as I'm aware, Google isn't associated with Open Bug Bounty at all. They do have a bug bounty program, but it's their own one, for reporting vulnerabilities within Google products.

I've got to run now, but I'll take a look at the PHP questions in a bit.

[kuau]

OK, I won't report him but I do not agree with the method he used to justify "asking" me for money. He sent me 8 alarming emails that caused major anxiety and a crisis in my life. I had never heard of Open Bug Bounty and thought they were ransomeware especially at a time when Russian hackers are in the news for attacking businesses. As you know, I had been working on writing a login script for that site and Dipu used my pause in getting it completed to attack it even though it had not even been implemented yet. I was busy with other things in my life. I read somewhere that OBB gives you 30 days then reports the vulnerability to Google who pays them between $700 and $1500 for bugs. WHY? This is a tiny community calendar that makes no money and costs me a lot of time and I have to pay for the domain and hosting. I recently took over maintenance as a favor for the original owners who moved away. These OBB people are making it difficult for me to provide a public resource that benefits a lot of people (not me!). I can't take the pages down while I fix them because people need them. I would like to fix it asap, so any help anyone can give me with the php will be greatly appreciated. I have watched several videos about XSS and PDO and haven't found any good ones that make sense to me or that the person speaks understandable English. If anyone knows any good videos I am happy to learn what I need to learn but I just don't have a lot of time right now while I am under this threat from Dipu. I am sorry I am not a php pro. I am trying my best as time will allow.

[keyboard]

Apologies for the slow response. Very busy at the moment unfortunately. I've been trying to work through the PHP you included in your other thread, but I'm finding it difficult as the code is quite hard to understand in places, specifically the SQL query.
For instance, one line is OR (".$dow." = 1 AND `oge` = 2), but $dow is "A textual representation of a day, three letters" (e.g., Monday), so I don't understand how that is supposed to work.
It may be helpful to provide more code or elaborate on the logic of the SQL statement.

I thought I'd respond with some code that should help solve the current issues present. Bit of a disclaimer: I'm not a PHP programmer, so I can't ensure the information provided is best practices. It should be a okay starting point, but I'd recommend looking into the topics if you want to have a strong understanding!

Validating an input as a YYYY-MM-DD format

PHP Code:

define('DATE_FORMAT', 'Y-m-d');

//Validate the input was provided and is non-empty
if(!empty($_GET['startdate'])) {

    $date = DateTime::createFromFormat(DATE_FORMAT, $date);

    //Vaidate the value of startdate is a legitimate date and is in the format required
    if(!$date || $date->format(DATE_FORMAT) !== $_GET['startdate']) {
        $date = new DateTime('now');
    }

} else {
    $date = new DateTime('now');
} 


Sanitising for SQL.
Note:
Double check your code for $wkofmon, because that may not give you the correct value.
If the first day of a month is Saturday then on the 3rd of that month it would be a Monday, which would be the first day of week 2. However, your code only works by measuring sets of 7 days.

PHP Code:

    //If we used the previous code to set $date, you actually don't need to sanitise the data, because none of the values in a Y-m-d format date can be used for SQL injection.
    //Still good practice to do so anyways.

    //Instead of loading the date straight from the user input, load it from the date object (and escape just incase).
    //$getdate = $_GET['startdate'];
    $getdate = $date->format('Y-m-d');
    $dow = $date->format('D');
    $dno = $date->format('j');
    $dom = $date->format('d');
    $wkofmon = (floor(($dno - 1)/7)) + 1;  // gives the week of the month
    $dyr = $date->format('z'); 


Other Sanitising
You'll need to validate/sanitise every value from the user.
E.g., validate that event_id is a number, etc., then sanitise them before usage.

Anyway, for years I have been using addslashes in contact forms to escape apostrophes and don't 100% understand the difference between addslashes and mysqli_real_escape_string.

The two functions can work in a fairly similar way. I think this StackOverflow response by zneak addresses it very succinctly -

Code:

addslashes adds slashes to characters that are commonly disturbing. mysql_real_escape_string escapes whatever MySQL needs to be escaped. This may be more or less characters than what addslashes takes care of.

Basically, mysqli_real_escape_string is specifically designed to work with the requirements of mysqli, so it's better to use that function. Also, mysqli_real_escape_string will take the charset of the current database connection into consideration.


It's important to understand that there are two parts to processing user-inputted data - validation and sanitisation.

Validation can be described as 'ensuring data meets business requirements' - basically, can the data be used for its intended purpose?
For example, if there is an online shopping form where you have an input to select the quantity of a product to buy, you may have a validation rule such as "the input must be a positive integer (numeric, whole number, greater than 0)"
But if they were to enter "$100.50" that isn't usable at all. Validation is about knowing what sort of data should be entered and rejecting instances where it isn't correct.
For an age field you could validate that it is a non-empty, positive integer with a value of between 0 and 130. And so on.
This type of validation is usually executed client-side (e.g., when you leave a field blank and it says you must enter a value). However, regardless of whether there is client-side validation, there must be server-side validation.

Sanitisation is ensuring that any value you're using will be correctly understood by the target.
If you're running an SQL query, this means you have to use mysqli_real_escape_string on all user-driven values to ensure that none of their input will be mistaken for SQL code.
If you're print output to the page, this means you have to use htmlspecialchars to ensure that none of their input will be mistaken for SQL code.
You should run sanitisation right before the value is used. This means that, for example, you should run htmlspecialchars right before printing to the page, not before inserting it into the database.

I read somewhere that OBB gives you 30 days then reports the vulnerability to Google who pays them between $700 and $1500 for bugs.

I'd be interested to see that if possible. Again, as far as I know, Google has no interaction with OBB; Google runs their own bounty system for Google products and pays researchers via that.

WHY? This is a tiny community calendar that makes no money and costs me a lot of time and I have to pay for the domain and hosting.
These OBB people are making it difficult for me to provide a public resource that benefits a lot of people (not me!).

I'd like to believe that there are good people using the OBB platform to report vulnerabilities in a productive manner. I do not believe that any one individual is representative of the whole, but it is unfortunate that you've had such negative experiences.

I really do need to stress however, that OBB is not responsible for making it difficult to run a website.
Webserver hacking is a serious problem for a few reasons. Data-leaking is a big issue (especially when some specific types of data are lost, as that can have legal ramifications), but hackers routinely use comprised servers to build bot networks and facilitate cybercrimes.
This is why I recommended taking the website offline until it is fixed. If a random individual has noticed a security vulnerability on a site, I guarantee that it was also found by threat actors.
I don't say this to scare you, only to try and highlight the importance of security researchers.

If you need more advice on specific questions or anything like that, feel free to ask. Please include as much code as you can to make it easier to follow.

[kuau]

Dear keyboard: Thank you so much for the detailed answer. I am worried about posting online more code because it could help hackers further exploit my site. Could I email you the code instead? I'm trying to find where I read about the hackers getting paid by google. During that search I found this on the OBB website...

We also remind that the purpose of our project is quality of the submissions, not their quantity. All usage of automated tools will lead to account suspension

You mentioned that Dipu used an automated tool...

the reporter used a tool (scant3r?) to automatedly find the exploit.

Doesn't that mean he is violating the OBB rules and should have his account suspended?

I just found the place I read about Google. I may have misunderstood. I thought it meant Google pays for all bugs submitted to them... there is a typo on their website so I assumed they meant $750 to $1000 but it may have been $7500 to $10,000.

As a matter of example, Google pays from $7,500 to $100 per XSS vulnerability submitted by security researchers. But Google is Google, you may adjust your remuneration range to any amounts comfortable for you.

[keyboard]

I'll send you a private message.