Gift Certificates and More: A complete lack of security

[Security Researcher <sresearcher039 () gmail com>]

Gift Certificates and More is an app local to Gainesville FL (and
surrounding areas).  It is commonly advertised around town and has been
around for many years.  I suspect it's membership is in the thousands.  It
turns out that it was built with a complete lack of concern for basic web
security.  With little effort I discovered:

1. Directory listing is turned on and the application is stored in the
public directory
2. Error reporting is on
3. Prepared queries were not used anywhere.  The application appears to be
wide open to SQL injection
4. The SQL server is listening to connections from anywhere on the internet
5. An FTP server is running
6. SSH is accepting username+password logins
7. No input validation is performed anywhere

In short, it looks like this app made for a college town was made by a
college student with no real world experience securing web applications.
The steps I took were very minimal, as I did not want to perform full
penetration testing without permission from the owner.  I reached out
multiple times to try to provide help on fixing these issues, but was
completely ignored.

Some more details here:

https://medium.com/@sresearcher039/gift-certificates-and-more-a-security-disaster-38f69662d1ae

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/