
“During the investigation we noticed that you placed a shell into our web root” - dogecoinbase
https://hackerone.com/reports/136169
======
benmcnelly
His argument makes sense to me as to why that was needed, however if they want
to take that stance, thats understandable, as is people being less likely to
run things down for them.

~~~
detaro
If a shell was necessary, a better-secured one (e.g. requiring a signed
command) would have been a good approach.

~~~
duskwuff
Yes. The Uber representative implied that a secure web shell would have been,
at the very least, less objectionable:

> we noticed that you placed an _unauthenticated_ web shell into our web root

(emphasis mine)

That being said, I imagine a phpinfo(); or passthru("whoami"); would have been
preferred.

~~~
i336_
An earlier comment said "Although the system() PHP function didn't directly
work..." so it would probably have been phpinfo().

Authenticating something like this is an interesting question though. Maybe
make the php script filename a sha256, then make the query string another
sha256, and possibly add a few more sha256 query keys that have to match more
sha256 strings. Or maybe that's overkill. (I keep wondering about
cryptographic cipher-based solutions...)

As an aside, an attacker would have needed to know about the name `bugb.php`,
which isn't an intuitive or easily guessable filename IMO, so there was a
reasonable level of security-by-obscurity.

~~~
iamjason89
Since system() PHP function didn't directly work, do you think he would have
been able to gain full access as he suggested?

~~~
i336_
It would probably have required a bit of thought, but PHP can access
databases, (presumably) alter files, and the like; so while full UNIX shell
access might not have been possible, practically speaking PHP could have done
a lot of damage on its own.

------
chillacy
Wow, am I correct in reading that uber just paid out 10k for a OneLogin
wordpress plugin bug? Who said open source was free...

~~~
i336_
Step 1: go to homepage

Step 2: browse

Step 3: profit, literally

I'm considering looking around at bug bounties... I know nada about security,
but who knows, maybe I'll stumble on something.

~~~
anentropic
yeah, anyone offering bug bounties and also running wordpress must be offering
easy money...

------
therealidiot
Sniffs (faked) user-agent and won't even show me the page.

