Full Disclosure mailing list archives
Re: Two biggest Indian University Websites are vulnerable
From: Sandeep Sengupta <sandeep.sengupta () gmail com>
Date: Thu, 22 Jul 2010 07:13:35 +0530
This is in reply to all those emails which were sent to me privately. I felt another full-disclosure is needed to make few things clear. I do not have time to write back to each one of the critics. ----------- My conversation with SMU (you will enjoy it) --------------- 1. Searched google & found their website. Went to contact us page & found the phone number of Dean / Director. 2. Called 91-0820-4297000. 3. A lady picks up. SMU: "Good afternoon, SMU" Sandeep: "Good afternoon ma'am. I am not a student of SMU. I want to ..." SMU: "Call the helpdesk" .. *hangs up* Called 91-0820-4297000 again. *Rinnnnnnnnnngggg* SMU: "Good afternoon, SMU" Sandeep: "Hello, do not hang up please. I want to report a problem about your site. Your website can be hacked. I am NOT a student. I want to speak to Dean or System Admin. I mean someone senior." SMU: *raised voice* "I am just the receptionist. Call the helpdesk" *transfers line to helpdesk* *Rinnnnnnnnnngggg* *Lady picks up* Helpdesk: "Good afternoon, how can I help you" Sandeep: "I think I can help you. Your site is prone to hack attack. I want to talk to someone senior". Helpdesk: "Sir, I don't think your information is correct" Sandy: "Grrrrr .. see .. I am not student of yours. I am a senior security professional working in this field for many years. If you want the information, I can explain you, if you don't want, that's your choice." Helpdesk: "You need to speak to the IT dept". Sandy: "And what's the number?" Helpdesk: "It is ... ". (i forgot now, wrote it on notepad) Sandy: "Does this number belong to someone from SMU or is this a 3rd party outsourcing company contact number?". Helpdesk: "No, it belongs to SMU own IT dept in Bangalore". Sandy: "Okay, fine, thanks." Calls the IT Dept number. *Rinnnnnnnnnngggg* *Lady picks up* IT Dept: "Good afternoon" Sandy: "Good afternoon. Is this SMU IT Dept?" IT Dept: "That's right". Sandy: "Your website is prone to SQL injection attack. I want to talk to system admin". IT Dept: "regarding what?" Sandy: "You have a website at portal.smude.edu.in. Right?" IT Dept: "Yes". Sandy: "That can be hacked. If you want to know more about it, please let me talk to the system admin". IT Dept: "Please hold". *A guy answers* Sys Admin: Hello, this is Sameer. Sandy: Are you the system admin. Sys: You may speak to me. Sandy: Okay. Your website is prone to SQL Injection attack. Sys: how? Sandy: Go to portal.smude.edu.in. use any user name, like "sanjay". And then use a SQL injection code. And you can see. *silence* Sandy: You know what is SQL Injection. Right? Sys: Hmmm Sandy: Send me your email id. I will send you step by step guidelines. 1000s of students' confidential information is stake. You need to act fast. *took the email id & sent to Dean, Sameer, Controller & all the SMU email ids I can find. Effect: Though they may not be that technically sound, they have tried their bit by adding a new page "indexHomenew.asp", which somehow stopped the SQL injection reported. ----------- My communication with Calcutta University --------------- They are the elite university. They atleast had the courtesy to send an acknowledgment after the telecon. Appreciated that. Here is the email they have sent. On 7/16/10, changededthis () caluniv ac in wrote: Dear Mr. Sandeep Many thanks for your suggestions. We are trying to sort out the problem Regards Soumitra Sarkar Effect: The issue has been resolved. ------------------ My message to all the critics: We have the knowledge & alertness to detect a vulnerability, and a good sense of responsibility to take all the trouble to get the information to the concerned authorities, and finally getting the issues resolved. That was followed by a full disclosure, as the list is meant for that. We didn't do it for any appreciation, though a few of them would have surely made the team happy :) Sadly, whatever poured in was criticism. My advice to all the critics is not to waste your time in dissecting what we have done. Find a vulnerability, report it, get it resolved & let us know. If you can not find one, you may be wasting too much time thinking what others are doing. Amen !! Warm regards, Sandeep Sengupta iSolution Software Systems Pvt. Ltd. www.isolutionindia.com Mob: +91 9830310550 India Office: D-24 Katju Nagar (1st Floor), Kolkata - 700032 Singapore Office: 17 Phillip Street #06-00 Grand Building, Singapore - 048695 On 7/21/10, samrat ashok <samrat.ashok0wns () gmail com> wrote:
LOL....sorry to say this Sandeep Sengupta (Cyber Security Research Analyst). But this is one of the most lame and funny disclosures I have seen here on Full Disclosure. You just sound like mustlive. Do you really think that admin of these websites even knew about Full Disclosure? I sam saying this because the storming SQL injection looks more like practicing on webgoat. If you can find such thing on a website how can you expect them to even know abt FD. You really tried to make some market for your company but for me its really funny. Peace.. Samrat
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Two biggest Indian University Websites are vulnerable Sandeep Sengupta (Jul 17)
- Re: Two biggest Indian University Websites are vulnerable Shreyas Zare (Jul 17)
- Re: Two biggest Indian University Websites are vulnerable Benji (Jul 17)
- Re: Two biggest Indian University Websites are vulnerable Sandeep Sengupta (Jul 17)
- Re: Two biggest Indian University Websites are vulnerable Benji (Jul 17)
- Re: Two biggest Indian University Websites are vulnerable Valdis . Kletnieks (Jul 17)
- Re: Two biggest Indian University Websites are vulnerable Jeffrey Walton (Jul 17)
- Message not available
- Re: Two biggest Indian University Websites are vulnerable Sandeep Sengupta (Jul 21)
- Re: Two biggest Indian University Websites are vulnerable Shreyas Zare (Jul 17)