Full Disclosure mailing list archives
Gift Certificates and More: A complete lack of security
From: Security Researcher <sresearcher039 () gmail com>
Date: Mon, 21 Oct 2019 07:44:00 -0400
Gift Certificates and More is an app local to Gainesville FL (and surrounding areas). It is commonly advertised around town and has been around for many years. I suspect it's membership is in the thousands. It turns out that it was built with a complete lack of concern for basic web security. With little effort I discovered: 1. Directory listing is turned on and the application is stored in the public directory 2. Error reporting is on 3. Prepared queries were not used anywhere. The application appears to be wide open to SQL injection 4. The SQL server is listening to connections from anywhere on the internet 5. An FTP server is running 6. SSH is accepting username+password logins 7. No input validation is performed anywhere In short, it looks like this app made for a college town was made by a college student with no real world experience securing web applications. The steps I took were very minimal, as I did not want to perform full penetration testing without permission from the owner. I reached out multiple times to try to provide help on fixing these issues, but was completely ignored. Some more details here: https://medium.com/@sresearcher039/gift-certificates-and-more-a-security-disaster-38f69662d1ae _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Gift Certificates and More: A complete lack of security Security Researcher (Oct 22)