| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 17 Jul 2010 12:49:50 +0100 From: Benji <me@...ji.com> To: Shreyas Zare <shreyas@...fence.com> Cc: Sandeep Sengupta <sandeep.sengupta@...il.com>, Full-Disclosure <full-disclosure@...ts.grok.org.uk> Subject: Re: Two biggest Indian University Websites are vulnerable I also like how you credited 2 people for what was effectively Firefox telling you a website was unsafe, and 3 people for a login SQL. On Sat, Jul 17, 2010 at 12:47 PM, Shreyas Zare <shreyas@...fence.com> wrote: > Hi, > > Considering the fact you didn't inform the concern authority at both > the universities (before disclosing publicly), are you not breaking > Indian IT Act by doing such type of public disclosure [1]? IANAL but > if you (someone else on list) have something to say about this point > it would be cool. > > [1] IT Act 2000, Chapter 9, 43 (G) ( > http://www.cybercellmumbai.com/cyber-laws/chapter-9 ) > > Regards > > Shreyas Zare > > Sr. Information Security Researcher > Secfence Technologies > www.secfence.com > > > On Sat, Jul 17, 2010 at 3:01 PM, Sandeep Sengupta > <sandeep.sengupta@...il.com> wrote: >> Topic: >> >> a) Sikkim Manipal University portal is vulnerable to SQL Injection attack. >> b) Calcutta University website is spreading malware via iframe code >> insertion. >> >> Details: >> >> a) About the university: Sikkim Manipal is one of the largest private >> University in India. The Institute attracts students from all over the >> country, with over 1700 students enrolled in the various engineering >> disciplines. 102 full-time faculties are employed. >> >> Type of problem: SQL Injection >> >> Vulnerable Portal: http://portal.smude.edu.in/ >> >> User Name: sanjay >> [any name will work] >> Password: ' OR ''=' >> Choose "Center Login" radio button >> Press SUBMIT. >> >> Screenshot: http://www.isolutionindia.com/isolutionindia/disclosure/SM.JPG >> >> Effect: You have access to the main admin panel. Option to download & print >> ALL student records, contact information, admit cards for upcoming >> examinations, assignments, results, etc. Option to change password. >> >> Credit: Pradip Sharma, Surajit Biswas, Sandeep Sengupta; Cyber Security >> Research Analysts, iSolution Software Systems Pvt. Ltd., >> www.isolutionindia.com >> >> b) Calcutta University is the oldest existing University in Indian >> Subcontinent. Founded 1857, it is ranked 39th in the world. >> >> Vulnerability: The main page is spreading virus. www.caluniv.ac.in >> It has iframe code injection & pulling virus from the Russian site >> pantscow.ru >> Hundreds will be infected while checking for results on the website. >> >> Screenshot: http://www.isolutionindia.com/isolutionindia/disclosure/CU.JPG >> >> Credit: Arnab Kanti Choudhury, Sandeep Sengupta; Cyber Security Research >> Analysts, iSolution Software Systems Pvt. Ltd., www.isolutionindia.com >> >> Disclaimer: The above information has been published with intention that the >> concerned authorities will take notice & amend the bugs. People are >> requested not to use the above information for illegal actions. We take no >> responsibility of the consequences. >> >> Thanks. >> >> Cyber Security Research Team >> iSolution Software Systems Pvt. Ltd. >> www.isolutionindia.com >> Mob: +91 9830310550 >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ >> > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists