You Gotta Learn From This, Kid

by Buanzo

Around early 2008, I was coding a website using PHP.

When debugging, I came across a username and password I was using for basic HTTP auth, in the PHP_AUTH_USER and PHP_AUTH_PW variables.

That is not the strange part, of course.

But hear this: the username and password, those were for a totally different website.  Different domain altogether.

I was developing on "somesite.com", but those credentials were for "totallysomethingelse.net".

What was going on there?

Why was my username and password being sent to another website?  And how long has this been happening?

I immediately added a couple of lines of code to index.php to email me the contents of those variables anytime they were set for any request.  And forgot about it, until one day I received an email... that included someone else's username and password.

And that was not the only time it happened.  I got 17 emails in between 2008 and 2012, averaging 3.5 emails per year.  Then it stopped.

Of course, as I recognized the username and password I mentioned at the beginning.  I knew it was my Nagios credentials!  And I was using a proxy to access Nagios, and I might have used that proxy to access the other website I was developing.

I tried searching for credentials leakage vulnerabilities in Firefox, and I found bugzilla.mozilla.org/show_bug.cgi?id=664983, but no non-proxied, basic HTTP auth cross-domain leakage.

But, as I got a quite small amount of usernames and passwords in a four-year period, it might have been indeed CVE-2011-2990, or an unknown variation.

I got some interesting usernames, and some pretty cool passwords, too.

But I never saved REFERER headers, nor User-Agent strings.  I did not want to know what those usernames and passwords applied to.

But now, I remembered all about it.  How long was this vulnerability out there?  Did I find it before it was even publicly reported (if it is indeed CVE-2011-2990)?  I'll probably never know.

It is now 2016, and I see no harm in publishing the list of usernames and passwords I got (although I will mask some characters using #, just to be on the safe side of it).

So, may this story serve as a cautionary tale, kids: if you come across something odd, do your frickin homework!

Cheers!

UsernamePassword
haz##shoepENG...zo##_1988
timo###ba##lon4
na##us78230##309
yudi#t##idis0803275*11*21Sa##uy
amd###operationsEnse###e99a
###00655Kal###0_13
fakeuserfakepass
avazqu###.extavazqu###2010
##user##heslo
J###.contreras@ad###rus.comjua###05
m###er-1376996b11#bd8e5ef4395019834ceb694c367803#
###oleta.ruse@ro.###.combeja##e113
##Y@.@os~vq2+(+2os~vq@-1(\'@lvo)&1,.1./.1+@./*I8BBAC5F097B342BDDDAF644C6D0A1F##
searc##loxAxd##bqYepMum4jt
Return to $2600 Index