Security Sunday Fail Trio: Redsun,EXXTACY & Unnamed Market
March 23, 2014
Are we ever going to have a quiet week? i doubt it. but at least we can thank some of the security guys in Reddit for exposing yet another 3 security hazards in the form of new marketplaces, and this time 3 in one day! (well technically 2 since i kept one of them unnamed since it seem it was not really launched yet, doing the right thing probably)
So here we go:
Red Sun Marketplace:
Problem: SQL injection (among others)
Was located at this address: redsun4lvjrxwwuy.onion
How it ended? Was at least decent enough to take his marketplace down quickly after this.
Original Thread: http://www.reddit.com/r/DarkNetMarkets/comments/214y14/i_made_it_all_pretty_and_stuff/
Exposed by: the_avid (from the epic drugslist lesson , and the cantina fiasco)
hey adminm, ruh roh
look on the bright side, if you ever lose your database you can email me and get a backup.
ps. took minutes. I wouldn’t leave you in charge of watering a plant.
- redsun4lvjrxwwuy.onion/server-status
- redsun4lvjrxwwuy.onion/phpinfo.php
EXXTACY Market:
Located at: j3gwwsnswrg7dtf4.onion – Did not take his marketplace down even tough its pretty clear where this one is heading.
Presenting the craziest password requirements we have ever seen, and noting them as a “security feature”:
|
1 2 3 4 5 6 7 8 9 |
Password must contain at least 2 lowercase characters. Password must contain at least 2 digits. Password must not contain the username. Password must contain at least 2 uppercase characters. Password must not match last 100 passwords. Password may only be changed in 2 hours from the last change. Password must be at least 12 characters in length. Password must contain at least 2 letters. Password must have a minimum of 2 digits in order to place any digits at the start or end of the password. |
While on the other hand used Google to load scripts into the marketplace! Thank to the_avid again, for pointing this out, i was a bit busy and forgot to take a screenshot of this before it was patched (and i mean patched, not fixed):
Even leaving the Generator tag in place:
|
1 |
<meta name="<a>Generator</a>" content="<a>Drupal 7 (http://drupal.org)</a>" /> |
You can read the original thread here: http://www.reddit.com/r/DarkNetMarkets/comments/215161/new_market_exxtacy/
{Unnamed} marketplace:
I will not name this marketplace since it was not made public so far
But it seems that this one was also leaking server info among some other issues that were not specified.
Currently at this address: {Hidden} – This one is still active technically, but we will not post his address here unless he will decide to launch the marketplace before addressing these issues.
Another one of the markets to offer Innovative Security in his front page, just to leak the PHPinfo and some other server details:
Exposed by: {Hidden at this time}
{Screenshot Hidden For Privacy reasons}
We have no idea how this will end up for these markets, but we urge all users to do their research before using any of these markets (or any other market)
One of them was listed in our list of hidden marketplaces but will be removed now
Updated: 2014-03-23