Two months ago the world’s most popular pornography site – PornHub has launched its bug bounty program to encourage hackers and bug bounty hunters to find and responsibly report flaws in its services and get rewarded.
Recently a team of three researchers Dario Weißer (@haxonaut), cutz and Ruslan Habalov (@evonide) gained Remote Code Execution (RCE) capability on its servers using a zero-day vulnerability in PHP – the programming language that powers PornHub’s website, were awarded with $20,000 US Dollars. They discovered (CVE-2016-5771/CVE-2016-5773), two use-after-free vulnerability that occurs when PHP’s garbage collection algorithm interacts with other specific PHP objects.
What Can The PHP Zero-Day Vulnerabilities Do ?
The PHP zero-day vulnerabilities affect all PHP versions of 5.3 and higher, though the PHP project has fixed the issue. The hack could have allowed the team to drop all Pornhub data including user information, track its users and observe behavior, disclose all source code of co-hosted websites, pivot deeper into the network and gain root privileges.
One of those is PHP’s unserialize function on the website that handles data uploaded by users, like hot pictures, on multiple paths, including:
- http://www.pornhub.com/album_upload/create
- http://www.pornhub.com/uploading/photo
In addition to this the researchers were awarded with $2,000 US Dollars for the discovery and proper disclosure of the PHP zero-day. Explaining the massive amount of work done by the researcher they have penned two incredibly long and highly detailed blog posts about the technicalities of this attack, with a third one, announced this coming week.