lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAC5+A5e6r9sqNPPFQ3_PxwZd1M1KWnmxs25dKDA4zzXFi=bB5g@mail.gmail.com>
Date: Mon, 21 Oct 2019 07:44:00 -0400
From: Security Researcher <sresearcher039@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Gift Certificates and More: A complete lack of security

Gift Certificates and More is an app local to Gainesville FL (and
surrounding areas).  It is commonly advertised around town and has been
around for many years.  I suspect it's membership is in the thousands.  It
turns out that it was built with a complete lack of concern for basic web
security.  With little effort I discovered:

1. Directory listing is turned on and the application is stored in the
public directory
2. Error reporting is on
3. Prepared queries were not used anywhere.  The application appears to be
wide open to SQL injection
4. The SQL server is listening to connections from anywhere on the internet
5. An FTP server is running
6. SSH is accepting username+password logins
7. No input validation is performed anywhere

In short, it looks like this app made for a college town was made by a
college student with no real world experience securing web applications.
The steps I took were very minimal, as I did not want to perform full
penetration testing without permission from the owner.  I reached out
multiple times to try to provide help on fixing these issues, but was
completely ignored.

Some more details here:

https://medium.com/@sresearcher039/gift-certificates-and-more-a-security-disaster-38f69662d1ae

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ