Front page of findusfoodservices.fi with iPad |
1st Sin: Site is unusable with iPad
2nd Sin: Site shows user the error-message
2nd Sin: Site shows user the error-message
A PHP-fatal error on public website - interesting... And that path to file originating the error looks a lot like public web-root... Had to check it out.
Typing the php-files path to url shows white page - not a 404 or 403 but plain 200-page. Something just got executed but it did not output anything. Next logical step was to check what the folder looked like. And sure enough Apache told me that - including it's version number and operating system it was running on - a black hatted person could use that information.
3rd Sin: file structure of site is browsable
4th Sin: Apache reveals quite vital information about the environment
When I had browsed trough the public folders that were under findusfoodservices.fi/plugins/mobile I decided to "misuse the robots.txt" as my co-worker put it.
Now we where talking - by telling the robots where not to look they were telling me exactly where to look.
Only a few folders were interesting, /administration told me that this was a Joomla-site (and apparently they do their security quite well). By "randomly" trying I found out that they had PHPMyAdmin running at /phpmyadmin - and that is not good.
5th sin: PHPMyAdmin on production server
But the best (worst) is still coming. There were folder /tmp...
Content of /tmp |
What are these I wonder? Well, let's find out. And it turns out they had user information on them - some sort of database dumps maybe. Those files - on public folder on public site - contained names, titles, phonenumbers, addresses and emails. Not that many, but still 399 unique entries. That's a no-no.
6th Sin: Confidential data publicly available
What an opportunity those information would be for social engineering! Not just for findusfoodservices.fi but for who knows how many other systems. As we all know people tend to use same passwords at multiple services.
For long I considered if I should contact Findus or the media about my findings. I decided to throw the ball to them. I emailed all my findings to Findus and gave them a week to fix the issues or else I would tell the media about them.
And they did fix them. They even sent me an email to thank me.
They've fixed all my findings - well almost all. I still get the PHP-fatal that led me to these findings when I go to the site with iPad. I guess I cannot have everything. But still - it feels good to know I have had small part in making web tiny bit safer.