lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 22 Jul 2010 07:13:35 +0530
From: Sandeep Sengupta <sandeep.sengupta@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Two biggest Indian University Websites are
	vulnerable

This is in reply to all those emails which were sent to me privately. I felt
another full-disclosure is needed to make few things clear. I do not have
time to write back to each one of the critics.

----------- My conversation with SMU (you will enjoy it) ---------------

1. Searched google & found their website. Went to contact us page & found
the phone number of Dean / Director.

2. Called 91-0820-4297000.

3. A lady picks up.
SMU: "Good afternoon, SMU"
Sandeep: "Good afternoon ma'am. I am not a student of SMU. I want to ..."
SMU: "Call the helpdesk" .. *hangs up*

Called 91-0820-4297000 again.
*Rinnnnnnnnnngggg*
SMU: "Good afternoon, SMU"
Sandeep: "Hello, do not hang up please. I want to report a problem about
your site. Your website can be hacked. I am NOT a student. I want to speak
to Dean or System Admin. I mean someone senior."
SMU: *raised voice* "I am just the receptionist. Call the helpdesk"

*transfers line to helpdesk*
*Rinnnnnnnnnngggg*
*Lady picks up*
Helpdesk: "Good afternoon, how can I help you"
Sandeep: "I think I can help you. Your site is prone to hack attack. I want
to talk to someone senior".
Helpdesk: "Sir, I don't think your information is correct"
Sandy: "Grrrrr .. see .. I am not student of yours. I am a senior security
professional working in this field for many years. If you want the
information, I can explain you, if you don't want, that's your choice."
Helpdesk: "You need to speak to the IT dept".
Sandy: "And what's the number?"
Helpdesk: "It is ... ". (i forgot now, wrote it on notepad)
Sandy: "Does this number belong to someone from SMU or is this a 3rd party
outsourcing company contact number?".
Helpdesk: "No, it belongs to SMU own IT dept in Bangalore".
Sandy: "Okay, fine, thanks."

Calls the IT Dept number.
*Rinnnnnnnnnngggg*
*Lady picks up*
IT Dept: "Good afternoon"
Sandy: "Good afternoon. Is this SMU IT Dept?"
IT Dept: "That's right".
Sandy: "Your website is prone to SQL injection attack. I want to talk to
system admin".
IT Dept: "regarding what?"
Sandy: "You have a website at portal.smude.edu.in. Right?"
IT Dept: "Yes".
Sandy: "That can be hacked. If you want to know more about it, please let me
talk to the system admin".
IT Dept: "Please hold".

*A guy answers*
Sys Admin: Hello, this is Sameer.
Sandy: Are you the system admin.
Sys: You may speak to me.
Sandy: Okay. Your website is prone to SQL Injection attack.
Sys: how?
Sandy: Go to portal.smude.edu.in. use any user name, like "sanjay". And then
use a SQL injection code. And you can see.
*silence*
Sandy: You know what is SQL Injection. Right?
Sys: Hmmm
Sandy: Send me your email id. I will send you step by step guidelines. 1000s
of students' confidential information is stake. You need to act fast.

*took the email id & sent to Dean, Sameer, Controller & all the SMU email
ids I can find.

Effect: Though they may not be that technically sound, they have tried their
bit by adding a new page "indexHomenew.asp", which somehow stopped the SQL
injection reported.

----------- My communication with Calcutta University ---------------

They are the elite university. They atleast had the courtesy to send an
acknowledgment after the telecon. Appreciated that. Here is the email they
have sent.

On 7/16/10, changededthis@...univ.ac.in wrote:

Dear Mr. Sandeep

Many thanks for your suggestions.

We are trying to sort out the problem

Regards
Soumitra Sarkar

Effect: The issue has been resolved.

------------------

My message to all the critics: We have the knowledge & alertness to detect a
vulnerability, and a good sense of responsibility to take all the trouble to
get the information to the concerned authorities, and finally getting the
issues resolved. That was followed by a full disclosure, as the list is
meant for that. We didn't do it for any appreciation, though a few of them
would have surely made the team happy :) Sadly, whatever poured in was
criticism. My advice to all the critics is not to waste your time in
dissecting what we have done. Find a vulnerability, report it, get it
resolved & let us know. If you can not find one, you may be wasting too much
time thinking what others are doing. Amen !!

Warm regards,

Sandeep Sengupta

iSolution Software Systems Pvt. Ltd.
www.isolutionindia.com
Mob: +91 9830310550

India Office:
D-24 Katju Nagar (1st Floor),
Kolkata - 700032

Singapore Office:
17 Phillip Street #06-00
Grand Building, Singapore - 048695

On 7/21/10, samrat ashok <samrat.ashok0wns@...il.com> wrote:
>
> LOL....sorry to say this Sandeep Sengupta (Cyber Security Research
> Analyst). But this is one of the most lame and funny disclosures I have seen
> here on Full Disclosure. You just sound like mustlive. Do you really think
> that admin of these websites even knew about Full Disclosure? I sam saying
> this because the storming SQL injection looks more like practicing on
> webgoat. If you can find such thing on a website how can you expect them to
> even know abt FD.
>
> You really tried to make some market for your company but for me its really
> funny. Peace..
>
> Samrat

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ