News

Ash Qin

Alpha-Fox Security Disclosure Report 2025.03.08

Posted by Ash Qin on 08 March 2025, 3:26:05 pm

Executive Summary

What Was the Issue?

Two major security weaknesses were found in the system:

• Unauthorized Stargate Deletion
  • An API key was inadvertently exposed because old PHP files (renamed with the .old extension, such as stargate.php.old) were left in a publicly indexable directory, allowing unauthorized parties to view their contents.
• Database Weakness (SQL Injection)
  • Old coding practices left the system open to a type of attack called SQL injection. This could have let attackers break into the database, giving them the ability to see, change, or delete sensitive information.

These issues were discovered by an external researcher named Coyote Enthusiast, who alerted Alpha-Fox to the risks.

What Could Have Happened?

If these weaknesses had been exploited by attackers, the consequences could have been serious:

• Service Disruption: Deleting users’ Stargates would have interrupted the network’s normal operation, frustrating users and damaging trust in the platform.
• Data Exposure: An SQL injection attack could have exposed private user information or allowed attackers to tamper with critical data, putting user privacy and system reliability at risk.

How Was It Addressed?

Alpha-Fox acted quickly to protect the system and fix the problems:

• Immediate Steps:
  • They restricted access to the exposed key by limiting it to trusted sources (IP-based blocking).
    They added a protective layer (a Web Application Firewall) to block common attack attempts while working on permanent solutions.
• Permanent Fixes:
  • The old, insecure code was updated to use safer methods for managing the database, closing the door on SQL injection risks.
  • All potentially exposed access keys were replaced with new ones, ensuring no one could misuse the old ones.

Was Any Data Compromised?

After investigating logs and checking the system, Alpha-Fox found no evidence that these weaknesses were exploited before they were fixed. This means no user data was lost or stolen, and the system remained intact.

Detailed report

Affected Systems and Components

1. Application Server

   • Receives commands from both the Alpha-Fox website and Stargates within Second Life.

2. Alteran Stargate Network

   • Utilizes a VI API key for managing Stargates.
   • The API key was inadvertently leaked due to .old file variants (e.g., stargate.php.old) stored in an indexable path.

3. Database Layer

   • Legacy scripts relied on addslashes for SQL queries, leading to potential SQL injection vulnerabilities.
   • A compromise could grant attackers full read and write privileges on the database.

Summary of Findings

1. Unauthorized Stargate Deletion

   • Attackers could not craft special HTTP requests to delete other users' Stargates via the application server.
   • Attackers could use the VI system to command Stargates to be deleted.

2. VI API Key Leakage

   • The VI API key was available in deprecated .old file references, which were publicly accessible.
   • Once discovered, IP-based rules were quickly enforced on these endpoints as an interim solution.

3. SQL Injection Vulnerabilities

   • Due to addslashes usage instead of more secure SQL methods (parameterized queries, prepared statements, robust sanitization), attackers could potentially gain complete database access.
   • No evidence of prior successful exploitation was found; however, risk was deemed high.

SQL Injection Related CVSS 3.1 Severity Details

• CVSS Vector: AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

  • Attack Vector (AV): Network
  • Attack Complexity (AC): High
  • Privileges Required (PR): None
  • User Interaction (UI): None
  • Scope (S): Unchanged
  • Confidentiality (C): High
  • Integrity (I): High
  • Availability (A): High
  • Exploit Code Maturity (E): Unproven
  • Remediation Level (RL): Official fix
  • Report Confidence (RC): Confirmed

• CVSS Base Score: 8.1

• Impact Subscore: 5.9

• Exploitability Subscore: 2.2

• CVSS Temporal Score: 7.3

• Overall CVSS Score: 7.3

These scores reflect a high severity level, emphasizing the importance of timely remediation to mitigate potential risks.

Detailed Timeline

• 2024.07.03

  • Discovery: Coyote Enthusiast contacts Alpha-Fox about a potential HTTP-based attack vector for deleting Stargates.
  • Key Leak: Coyote Enthusiast also discovered that .old file extensions (e.g., stargate.php.old) had been publicly indexed, revealing the VI API key in the source code.
  • Proof of Concept: Coyote Enthusiast provided a high-level proof of concept showing what could have potentially been a Stargate deletion method.

• 2024.07.07

  • Enhanced Logging: Alpha-Fox deploys comprehensive logging to track any unusual Stargate deletion activity.

• 2024.07.08

  • IP-Based Blocking: Implemented specifically on the exposed API key endpoints, limiting unauthorized access until a long-term fix could be put in place.

• 2024.09.01

  • Legacy Script Examination: After reviewing the leaked script, Alpha-Fox found it dated back to 2013 and had been renamed with a .old extension sometime between 2013 and 2019, leaving it accessible in a public directory. The script used addslashes instead of secure variants or prepared statements, leading to several valid SQL injection exploits. It was confirmed that some of these insecure SQL methods still existed in the current code base.

• 2024.09.08

  • WAF Deployment: A Web Application Firewall (WAF) is introduced to detect and block common SQL injection payloads as an interim protective measure.

• 2024.10.27

  • Exploitation Analysis: Review of historical logs finds no evidence of prior malicious exploitation. Database integrity checks and log analysis confirmed no prior exploitation.

• 2025.01.01

  • Secure Code Action Plan: Alpha-Fox begins a systematic review of all legacy queries, replacing insecure SQL methods with more robust, secure alternatives.

• 2025.03.05

  • Remediation Deployed: Code refactoring is completed, with all SQL based addslashes replaced by parameterized statements or other secure methods. This update is released to production.

• 2025.03.07

  • API Key Rotation: All existing API keys, including those potentially exposed, are revoked and replaced.
  • Verification: Testing confirms that a malicious actor can no longer delete Stargates outside the authorized AFVI interface.

Impact

• Data Integrity

  • Attackers could delete Stargates and modify critical data, eroding user trust.

• Data Confidentiality

  • SQL injection attacks might grant full database access, risking exposure of sensitive information.

• Service Availability

  • Malicious deletions or data corruption could severely disrupt platform operations, impacting user confidence.

Remediation Actions

1. Enhanced Logging & Monitoring

   • Stargate deletion requests are fully logged, allowing auditing to detect suspicious activity quickly.

2. IP-Based Blocking

   • Specific to exposed API keys, restricting access to internal Alpha-Fox IPs as an interim measure.

3. Web Application Firewall (WAF)

   • Deployed as a temporary safeguard to protect against common injection payloads and other malicious traffic.

4. Refactoring with More Secure SQL Methods

   • Systematically replaced addslashes with parameterized queries, prepared statements, and/or robust sanitization to mitigate injection risks.

5. API Key Management

   • All leaked or potentially compromised keys have been rotated and replaced.

Summary

Through a combination of interim measures (IP-based blocking and Web Application Firewall deployment) and permanent fixes (API key rotation and code refactoring), Alpha-Fox has fully addressed the high-severity risks associated with unauthorized Stargate deletion and SQL injection. While no evidence of prior successful exploitation was found, the system is now secure against these specific threats and more resilient overall.