in Fun Conference Vulerability

Story about hacking security conference and their funny revenge

Not so long time ago I submitted my presentation proposal on CONFidence's Call For Papers. CONFidence is one of the best European IT Sec conference that I love to attend due to very good presentations quality and hackish^H^H atmosphere ;-)

This year I decided to actively attend as a speaker with my presentation about pentesting iOS apps using jailed iDevice. I sent my proposal and when I received the approval, I visited the conference's website in order to check if I'm included in the speakers list for sure (in SecuRing it's common to prank your colleagues like for instance sending emails from fake server, haha).

I entered the website and found myself, yay!
conf

If you are interested in IT Sec field, numeric parameter in URL probably triggers something in your brain. I have opened Chrome's dev tools immediately and seen XHR request to https://eventory.cc.
eventory-xhr

Hmm, the ID from XHR's 'Request URL' is the same that we saw earlier. Wouldn't be fun if we can perform little path traversal and reflectively load our speaker?

I have registered in Eventory, created fake conference and made Bob The Builder the main speaker.
eventory

Next step was to change the URL from

https://confidence.org.pl/bio.html#id=29348

to

https://confidence.org.pl/bio.html#id=../../1883/speakers/29393

The result was of course:
bob

Voilà! CTO Bob the Builder included. As you can see in the talks section, description is carefully encoded so it there was no XSS vulnerability. It makes this post title rather clickbait since it's hard to say now that this path traversal is serious vulnerability.

The revenge

This 'issue' was reported to the CONFidence, they have fixed this and the topic was closed... up to April Fools' Day! When I woke up, I saw tons on messages like 'LOL, check CONFidence's fanpage!'. And I did, haha.
conf_photo

If you have seen this post and you have been thinking like 'funny, but why Bob The Builder?' here is the answer ;-).