Wednesday, December 4, 2013

Wearing a White Hat

Earlier this summer I was browsing for some recipes on findusfoodservices.fi with my iPad when I encountered this error:

Front page of findusfoodservices.fi with iPad
1st Sin: Site is unusable with iPad
2nd Sin: Site shows user the error-message

A PHP-fatal error on public website - interesting... And that path to file originating the error looks a lot like public web-root... Had to check it out. 

Typing the php-files path to url shows white page - not a 404 or 403 but plain 200-page. Something just got executed but it did not output anything. Next logical step was to check what the folder looked like. And sure enough Apache told me that - including it's version number and operating system it was running on - a black hatted person could use that information.

3rd Sin: file structure of site is browsable
4th Sin: Apache reveals quite vital information about the environment

When I had browsed trough the public folders that were under findusfoodservices.fi/plugins/mobile I decided to "misuse the robots.txt" as my co-worker put it.

Now we where talking - by telling the robots where not to look they were telling me exactly where to look.

Only a few folders were interesting, /administration told me that this was a Joomla-site (and apparently they do their security quite well). By "randomly" trying I found out that they had PHPMyAdmin running at /phpmyadmin - and that is not good.

5th sin: PHPMyAdmin on production server

But the best (worst) is still coming. There were folder /tmp...
Content of /tmp
What are these I wonder? Well, let's find out. And it turns out they had user information on them - some sort of database dumps maybe. Those files - on public folder on public site - contained names, titles, phonenumbers, addresses and emails. Not that many, but still 399 unique entries. That's a no-no.

6th Sin: Confidential data publicly available

What an opportunity those information would be for social engineering! Not just for findusfoodservices.fi but for who knows how many other systems. As we all know people tend to use same passwords at multiple services.

For long I considered if I should contact Findus or the media about my findings. I decided to throw the ball to them. I emailed all my findings to Findus and gave them a week to fix the issues or else I would tell the media about them.

And they did fix them. They even sent me an email to thank me.

They've fixed all my findings - well almost all. I still get the PHP-fatal that led me to these findings when I go to the site with iPad. I guess I cannot have everything. But still - it feels good to know I have had small part in making web tiny bit safer.

Posted by at No comments:

Monday, December 2, 2013

Days Without blogging: 0

My latest project "Days Without" went online more than a month ago.

Update 2013-12-12: Could not resolve the problem, somewhat related to Symfony2 version, rolled back to MVP version.
Update 2013-12-04: New version of "Days without" is currently broken - Ill try to fix it during the weekend.

Days Without is a day counter for ... anything, really. The idea came from need to have a counter for how many days I've been without sweets. But why stop there? I could make counters "on demand" - in fact anyone could make counters.

Original idea was to have two buttons at counter, "+1" and "Reset". The Plus-button would increase the counter by one day and Reset would reset it to zero. After presenting my idea to coworkers I realized that having to push the +1 button every day would be a pain in the ass. Just as easily (if not even easier) I could make the counter "automatic" - so I did.

Minimum Viable Product

I wanted to get Days Without out as fast as possible. So I made list of what would be the MVP.

  • Counters could be made
  • Counters would count the days since last reset (or creation)
  • Counters could be reseted
  • URL's to counters would be human readable and easy to remember

The next steps would be

  • Password-protected counters
  • Counter listing (newest, last reseted etc)
  • List of users counters
  • Sharing to Facebook & Twitter
  • Commenting on reset
  • Reset history of counter (date, day-count, comment ...)

The MVP is done, password protected counters are almost. The app is still quite fresh and might (probably will) lose it's data at some point. Do not be suprised if that happens.

Codes can be downloaded and contibuted at GitHub and the site is live at Feikki.fi/dayswithout

All feedback is more than welcome. Comment below or tweet me @JSomerstone #DaysWithout

Coming up next: "Wearing a White hat"
Posted by at No comments:
Subscribe to: Posts (Atom)