| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 21 Oct 2019 07:44:00 -0400 From: Security Researcher <sresearcher039@...il.com> To: fulldisclosure@...lists.org Subject: [FD] Gift Certificates and More: A complete lack of security Gift Certificates and More is an app local to Gainesville FL (and surrounding areas). It is commonly advertised around town and has been around for many years. I suspect it's membership is in the thousands. It turns out that it was built with a complete lack of concern for basic web security. With little effort I discovered: 1. Directory listing is turned on and the application is stored in the public directory 2. Error reporting is on 3. Prepared queries were not used anywhere. The application appears to be wide open to SQL injection 4. The SQL server is listening to connections from anywhere on the internet 5. An FTP server is running 6. SSH is accepting username+password logins 7. No input validation is performed anywhere In short, it looks like this app made for a college town was made by a college student with no real world experience securing web applications. The steps I took were very minimal, as I did not want to perform full penetration testing without permission from the owner. I reached out multiple times to try to provide help on fixing these issues, but was completely ignored. Some more details here: https://medium.com/@sresearcher039/gift-certificates-and-more-a-security-disaster-38f69662d1ae _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists