While checking the gym prices at CDUP, my friend Diogo Moura noticed something unusual: a small square on the bottom-left corner that when clicked would display a bar sticking to the bottom of the screen. I didn’t capture a screenshot so I recreated the page in Photoshop:
Diogo is a good guy so he stopped there.
I started investigating that bar and noticed it was the PHP Debug Bar, useful for debugging purposes during development. It contains some tabs with multiple information about everything that happens in the website. One of the features it provides is a list of the latest HTTP requests made by every user on the website:
Obviously, this is a big security issue, since I could trace the actions in the website of whoever I wanted. Some of the entries in that list had the text "/login" in the URL field and "POST" in the method field, meaning that they were related to submissions of the administrator login form. By clicking that entry I was able to see all details of that specific request, including the username and the plaintext password that were sent in the body of the request:
{
"_token":"YVOzlSSYcaEEkPF24AVNke2KsdvEUZedIwNtHyJo",
"username":"Admin",
"password":"XXXXXXXXXXXXXXXX"
}
So I went to the administrator login form and successfully logged in with the credentials I had just stolen. Now I had access to the backoffice of the whole website and I could manage users, edit content, etc.
The issue was reported to CDUP and was fixed quickly by removing the PHP Debug Bar.