Tuesday, October 13. 2009
ePerolehan - SQL Injection
A little bird sent me the following, and told me that she had been trying to inform the admin regarding the SQL injection vulnerability in ePerolehan website, but didn't get any response. So here goes.
The screenshot speaks for itself:
The third column on the first row contains the list of table names for the current database.
Website: ePerolehan
URL: http://home.eperolehan.gov.my/ (some URL)
The website is developed by Commerce Dot Com
DISCLAIMER: All the information related to computer crimes (i.e. defacements) contained in security.org.my were either collected online from public sources or directly notified to us. Security.org.my is neither responsible for the reported computer crimes nor it is directly or indirectly involved in them.
The screenshot speaks for itself:
The third column on the first row contains the list of table names for the current database.
Website: ePerolehan
URL: http://home.eperolehan.gov.my/ (some URL)
The website is developed by Commerce Dot Com
DISCLAIMER: All the information related to computer crimes (i.e. defacements) contained in security.org.my were either collected online from public sources or directly notified to us. Security.org.my is neither responsible for the reported computer crimes nor it is directly or indirectly involved in them.
Trackbacks
Trackback specific URI for this entry
No Trackbacks
Comments
Display comments as
(Linear | Threaded)
good step to email the admin..
but then i think if we only emailed the admin itself and the result is something like this, it might be not the best way.
do send the email to the admin/webmaster/server owner but also CC the email to their upper levels (manager, ketua, pengarah or bla bla bla)..
maybe can also cc to mycert, csm, mimos, mampu n etc..
but then i think if we only emailed the admin itself and the result is something like this, it might be not the best way.
do send the email to the admin/webmaster/server owner but also CC the email to their upper levels (manager, ketua, pengarah or bla bla bla)..
maybe can also cc to mycert, csm, mimos, mampu n etc..
To be frank, I'm sure some of us out there had tried our best to inform admin about all this security flaw. Even some of high profiles sites do have serious flaw. But like what the author said in his 2 part post (Part 1 here http://security.org.my/index.php?/archives/Why-lah-.gov.my-always-kena-hack.html) it is a matter of consciousness and awareness of who and what. As simple as that.
If you hire a person who don't even have a clue of what is security all about, then you actually inviting those hackers to come and "enjoy your hospitality". Higher level? Only if they had some knowledge and concern and also not to trust their apps with all their heart and never believe outside "rumours" - since they had spend a lot of money on that project. They believe that the script need not to be revised as it was surely secure.
sigh if only we can brainwash them to understand that web-app is also an application and need to be revised and maintain. Sometimes, I do believe that cuci0tak's way of alerting admin was the only way to mke them understand.
If you hire a person who don't even have a clue of what is security all about, then you actually inviting those hackers to come and "enjoy your hospitality". Higher level? Only if they had some knowledge and concern and also not to trust their apps with all their heart and never believe outside "rumours" - since they had spend a lot of money on that project. They believe that the script need not to be revised as it was surely secure.
sigh if only we can brainwash them to understand that web-app is also an application and need to be revised and maintain. Sometimes, I do believe that cuci0tak's way of alerting admin was the only way to mke them understand.
I agree for what you said. Anonymous. So, for those like you should take this as your ambition help to fix it. Stay beside and keep comment for me is not the solution. Should help, take it as the responsible for 'security' in malaysia. Comment and critic just wasting the time
As I said before, we had done our part. Inform admin. For myself. I had informed admin, and cc to upper level, mimos, mycert and so on several times already. But now I'm bored. CSM, MyCERT, Mimos, Mampu? Not in my list as they too were very slow in taking action. Too many protocol and bla.. bla.. bla to follow. Maybe what they need is some internal document or confidential information leakage to outside world to understand that this internet and networking security is not a matter of bureaucracy but it is a matter of SECURITY in a whole.
Well... I think we do need to be like cuci0tak to make sure that they understand all the meaning of security.
Well... I think we do need to be like cuci0tak to make sure that they understand all the meaning of security.
agree.. comment and critic won't bring us anywhere.
the fact is, you can see only a few it exec in gov sector really have technical knowledge, especially in it security.
they are just graduates with degree in comp sc/it. it's not their wrong to be there. but can't also blame spa for allocating the job. have you see any security experts complaining that they apply for an it position with spa, but never get the post? for me, none.
we all know, if you were good in it security, kind of hell no you will join gov. for sure you go to priv sector that might pay u higher.
that's the problem. keep blaming those admin (tdo la.. noob la, makan gaji buta la..) won't fix the issues.
do our part, report any flaw in their systems, keep doing the same thing until they so-called wake-up. as per said in 1st comment, do let their upper level know too.
i think, to make it "better", if the flaw is on ministry of finance, do tell jpm, moe, moh and others too.. haha
the fact is, you can see only a few it exec in gov sector really have technical knowledge, especially in it security.
they are just graduates with degree in comp sc/it. it's not their wrong to be there. but can't also blame spa for allocating the job. have you see any security experts complaining that they apply for an it position with spa, but never get the post? for me, none.
we all know, if you were good in it security, kind of hell no you will join gov. for sure you go to priv sector that might pay u higher.
that's the problem. keep blaming those admin (tdo la.. noob la, makan gaji buta la..) won't fix the issues.
do our part, report any flaw in their systems, keep doing the same thing until they so-called wake-up. as per said in 1st comment, do let their upper level know too.
i think, to make it "better", if the flaw is on ministry of finance, do tell jpm, moe, moh and others too.. haha
loser x kan ke mana2..cuma tau menyalahkan orang lain tanpa melihat kesalahan dan kebodohan diri sendiri. realitinya anda cuma akan duduk di malaysia dan layak digelar "jaguh kampung". oh ya.. keje ngan private pun makan gaji gak kan? keep it up man!
no need to tell them lah, use for your own good only muhahahahaha. Why?
Our culture mentality:-
1) Ignorance
2) BODOH SOMBONG
3) i'm the ultra, super security professional, you just a n00b... so **** off
Our culture mentality:-
1) Ignorance
2) BODOH SOMBONG
3) i'm the ultra, super security professional, you just a n00b... so **** off
Add Comment
Before you post a comment, please take note of the following guidelines:
- Commenting is provided as a courtesy only.
- Please be brief and relevant to the post.
- Please be polite even in disagreement with us or others.
- Support claims you wish to make using sources and links.
- No personal attacks, name calling, or commercial commenting.
- Anyone creating false or multiple identities will be banned.
- If you don't have a cogent argument, you will be censored.
- If you are purposefully deceptive, you will be censored.
- No spamming or flooding.
Comment policy copied and modified from Spin Hunters.
DISCLAIMER
All data and information provided on this site is for informational purposes and on an *as-is* basis.
This weblog does not represent the thoughts, intentions, plans or strategies of our employers. It is solely our opinion and views as security professionals.
Feel free to challenge us, disagree with us, or even tell us that we are a complete mindless and brainless monkeys in the comment section of the blog entry.
This weblog does not represent the thoughts, intentions, plans or strategies of our employers. It is solely our opinion and views as security professionals.
Feel free to challenge us, disagree with us, or even tell us that we are a complete mindless and brainless monkeys in the comment section of the blog entry.
Report Defacements of Malaysian Website
Tags
watchlist gcert worm exploit strong password harimau outbreak how to create password cybersecurity malaysia virus dubai myhack niser security analysis apple hitbsecconf2008 kuala lumpur pink rabbit vnsecurity leopard downadup password python edu.my conficker hitbsecconf2008 cimb phishing hackinthebox comment spam ctf mycert bank wireless lubuntu network analysis hacked hitbsecconf2008 dubai conference xss personal data privacy honeynet my-honeynet cyber terrorism scam general os x cuciotak scamming hex phishing site spam news information disclosure maybank2u hacking maybank phishing impact bro-ids sql injection malware events nsm alien_005 tools stupidity hackermalaysia defaced hitbsecconf joomla! hitb web vulnerability malaysia defacement
Recent Entries
Defaced - http://www.webschool.com.my
Defaced - http://cic.jobsmalaysia.gov.my
Defaced - http://cuil.com.my
Defaced - http://www.photodelivery.com.my/cart/
Defaced - http://webapp.uthm.edu.my
Defaced - http://www.afm.org.my
Hacked - http://www.crsm.org.my
Defaced - belianiaga.com
Defaced - teddymarry.com
Mass defacement on BaitulBytes Hosting
February 8 2010
Defaced - http://cic.jobsmalaysia.gov.my
February 8 2010
Defaced - http://cuil.com.my
February 8 2010
Defaced - http://www.photodelivery.com.my/cart/
February 8 2010
Defaced - http://webapp.uthm.edu.my
February 8 2010
Defaced - http://www.afm.org.my
February 5 2010
Hacked - http://www.crsm.org.my
February 4 2010
Defaced - belianiaga.com
February 3 2010
Defaced - teddymarry.com
February 3 2010
Mass defacement on BaitulBytes Hosting
February 3 2010
