< Another Malaysian Government Website Bites the Dust | Strong passwords: How to create and use them - Part 1 >
Friday, June 6. 2008
Malaysia Prime Minister's Office Still Vulnerable to RFI
A comment on this blog says that the Malaysia Prime Minister's Office official website is still vulnerable to Remote File Inclusion. Here's a screenshot:
This is what you see when you supply the following URL: http://www.pmo.gov.my/website/webdbase.nsf/w_4?readForm&url=http://www.pmo.gov.my@www.google.com.my
All that is needed is just add a '@', and the URL that you want to specify. If any malicious attacker can find a way to execute Lotus Domino commands, the PMO website may end up like this.
Here's a copy/paste of the comment:
FYI, the "url" parameter problem in pmo.gov.my still persists.
Apparently, they try to fix the problem by checking the prefix value of 'url' query parameter, and only allow URL that starts with 'http://www.pmo.gov.my' to be displayed in the iframe.
This won't solve the problem, e.g.:
http://www.pmo.gov.my/website/webdbase.nsf/w_4?readForm&url=http://www.pmo.gov.my@www.google.com.my
Perhaps, a better workaround would be using an internal hash table of (id, url) and only accept 'id' as query parameter, rather than URL?
This is what you see when you supply the following URL: http://www.pmo.gov.my/website/webdbase.nsf/w_4?readForm&url=http://www.pmo.gov.my@www.google.com.my
All that is needed is just add a '@', and the URL that you want to specify. If any malicious attacker can find a way to execute Lotus Domino commands, the PMO website may end up like this.
Here's a copy/paste of the comment:
FYI, the "url" parameter problem in pmo.gov.my still persists.
Apparently, they try to fix the problem by checking the prefix value of 'url' query parameter, and only allow URL that starts with 'http://www.pmo.gov.my' to be displayed in the iframe.
This won't solve the problem, e.g.:
http://www.pmo.gov.my/website/webdbase.nsf/w_4?readForm&url=http://www.pmo.gov.my@www.google.com.my
Perhaps, a better workaround would be using an internal hash table of (id, url) and only accept 'id' as query parameter, rather than URL?
Trackbacks
Trackback specific URI for this entry
No Trackbacks
Comments
Display comments as
(Linear | Threaded)
You better do some research before posting somethings. This is not event remote include and you can't say attacker can posibbly execute lotus notes command with this problem. The url parameter are use to generate iframe src in the html file.
Please don't make everybody laugh at you cause this kind of mistake.
Please don't make everybody laugh at you cause this kind of mistake.
hi anonymous,
i understand the problem - the URL parameter is used to generate the iframe, and it is difficult, if not, impossible to execute commands. however, i know quite a few people who's been trying to. so there may be a possibility.
by the way - i'm not the kind of who cares too much about what others say about me
i understand the problem - the URL parameter is used to generate the iframe, and it is difficult, if not, impossible to execute commands. however, i know quite a few people who's been trying to. so there may be a possibility.
by the way - i'm not the kind of who cares too much about what others say about me
Good news, pmo.gov.my web team has been fixing the problem.
Now, they have at least 2 rules to check 'url' parameter:
(1) must have prefix 'http://www.pmo.gov.my'
(2) does not contain '@' character.
But I'm not sure it's a good solution, since (1) is wrong, and (2) may block any PMO's own valid URL that contains '@' character, e.g.:
http://www.pmo.gov.my/website/webdbase.nsf/w_4?readForm&url=http://guest@www.pmo.gov.my
FYI, they still forget to escape the url string before adding into page. So the same problem persists, e.g.:
http://www.pmo.gov.my/website/webdbase.nsf/w_4?readForm&url=http://www.pmo.gov.my%22%20width=0%20height=0%3E%3C/iframe%3E%3Ciframe%20src=%22http://google.com%22
Now, they have at least 2 rules to check 'url' parameter:
(1) must have prefix 'http://www.pmo.gov.my'
(2) does not contain '@' character.
But I'm not sure it's a good solution, since (1) is wrong, and (2) may block any PMO's own valid URL that contains '@' character, e.g.:
http://www.pmo.gov.my/website/webdbase.nsf/w_4?readForm&url=http://guest@www.pmo.gov.my
FYI, they still forget to escape the url string before adding into page. So the same problem persists, e.g.:
http://www.pmo.gov.my/website/webdbase.nsf/w_4?readForm&url=http://www.pmo.gov.my%22%20width=0%20height=0%3E%3C/iframe%3E%3Ciframe%20src=%22http://google.com%22
yeah dude.. try this one
http://www.pmo.gov.my/website/webdbase.nsf/w_4?readForm&url=http%3A%2F%2Fwww.pmo.gov.my%22%20width=0%20height=0%3E%3Ciframe%3E%3Ciframe%20src=%22http://kickdefella.files.wordpress.com/2007/02/dollah-guilty-copy.jpg%22
http://www.pmo.gov.my/website/webdbase.nsf/w_4?readForm&url=http%3A%2F%2Fwww.pmo.gov.my%22%20width=0%20height=0%3E%3Ciframe%3E%3Ciframe%20src=%22http://kickdefella.files.wordpress.com/2007/02/dollah-guilty-copy.jpg%22
As the PMO website is already "hacked" (yeke???), i heard a rumour that the PM (or PMO i guess) appointed a IT security consultant to audit their network and IT facilities to find out who used the facilties to spread out government information and spy on them during the election.
The audit started few weeks ago and still in progress.
The audit started few weeks ago and still in progress.
Looks like PMO web team is making progress. Do they read security.org.my? 
They have get rid of the 'url' parameter in query string (finally) and replaced with a 'pid' parameter:
http://www.pmo.gov.my/website/webdbase.nsf/w_4matrik?openForm&pid=8EC2
They have get rid of the 'url' parameter in query string (finally) and replaced with a 'pid' parameter:
http://www.pmo.gov.my/website/webdbase.nsf/w_4matrik?openForm&pid=8EC2
Add Comment
Before you post a comment, please take note of the following guidelines:
- Commenting is provided as a courtesy only.
- Please be brief and relevant to the post.
- Please be polite even in disagreement with us or others.
- Support claims you wish to make using sources and links.
- No personal attacks, name calling, or commercial commenting.
- Anyone creating false or multiple identities will be banned.
- If you don't have a cogent argument, you will be censored.
- If you are purposefully deceptive, you will be censored.
- No spamming or flooding.
Comment policy copied and modified from Spin Hunters.
DISCLAIMER
All data and information provided on this site is for informational purposes and on an *as-is* basis.
This weblog does not represent the thoughts, intentions, plans or strategies of our employers. It is solely our opinion and views as security professionals.
Feel free to challenge us, disagree with us, or even tell us that we are a complete mindless and brainless monkeys in the comment section of the blog entry.
This weblog does not represent the thoughts, intentions, plans or strategies of our employers. It is solely our opinion and views as security professionals.
Feel free to challenge us, disagree with us, or even tell us that we are a complete mindless and brainless monkeys in the comment section of the blog entry.
Report Defacements of Malaysian Website
Tags
watchlist gcert worm exploit strong password harimau outbreak how to create password cybersecurity malaysia virus dubai myhack niser security analysis apple hitbsecconf2008 kuala lumpur pink rabbit vnsecurity leopard downadup password python edu.my conficker hitbsecconf2008 cimb phishing hackinthebox comment spam ctf mycert bank wireless lubuntu network analysis hacked hitbsecconf2008 dubai conference xss personal data privacy honeynet my-honeynet cyber terrorism scam general os x cuciotak scamming hex phishing site spam news information disclosure maybank2u hacking maybank phishing impact bro-ids sql injection malware events nsm alien_005 tools stupidity hackermalaysia defaced hitbsecconf joomla! hitb web vulnerability malaysia defacement
Recent Entries
Defaced - http://www.webschool.com.my
Defaced - http://cic.jobsmalaysia.gov.my
Defaced - http://cuil.com.my
Defaced - http://www.photodelivery.com.my/cart/
Defaced - http://webapp.uthm.edu.my
Defaced - http://www.afm.org.my
Hacked - http://www.crsm.org.my
Defaced - belianiaga.com
Defaced - teddymarry.com
Mass defacement on BaitulBytes Hosting
February 8 2010
Defaced - http://cic.jobsmalaysia.gov.my
February 8 2010
Defaced - http://cuil.com.my
February 8 2010
Defaced - http://www.photodelivery.com.my/cart/
February 8 2010
Defaced - http://webapp.uthm.edu.my
February 8 2010
Defaced - http://www.afm.org.my
February 5 2010
Hacked - http://www.crsm.org.my
February 4 2010
Defaced - belianiaga.com
February 3 2010
Defaced - teddymarry.com
February 3 2010
Mass defacement on BaitulBytes Hosting
February 3 2010
