Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




Tel69
255 posts

Ultimate Geek
+1 received by user: 4

Trusted
Lifetime subscriber

Topic # 129056 2-Sep-2013 16:28
Send private message

Sorry if there is a convo on this already, but I thought this the best place to post.
So I was reading stuff and came across some business website in Timaru got hacked.
I'm sure we have all seen it, but here it is if you have not

So I decide to take a look at this website when I get home (out of curisitory).
Looks OK for a small business website, but some obvious avenues of infultration.
The HOME has an edit drop down that takes you to a login page. LOL
Perfect chance for SQL injection there and they are not even hiding the edit function.
There are other possibilites, but that one was funny.

Small company yes, but they learnt the hard way.
I'd say they got pinged because with the US threatening to hit Syria and their company name being Washingtons.

Tel

Create new topic
3229 posts

Uber Geek
+1 received by user: 924

Trusted

  Reply # 888386 2-Sep-2013 16:40
Send private message


The HOME has an edit drop down that takes you to a login page. LOL
Perfect chance for SQL injection there and they are not even hiding the edit function.


While it's odd having that on the menu, just showing that and having a login page doesn't open you up to sql injection... sql injection is where you're running un-santized\un-escaped input from the user directly against the database. I can't see any indication of this there. 



Tel69
255 posts

Ultimate Geek
+1 received by user: 4

Trusted
Lifetime subscriber

  Reply # 888387 2-Sep-2013 16:42
Send private message

Yes, but opens up another possibility to inject into the username and password inputs on the form to see if it's possible.
I was just saying it's an attack vector you'd not normally see that easily.

 
 
 
 


8027 posts

Uber Geek
+1 received by user: 387

Trusted
Subscriber

  Reply # 888390 2-Sep-2013 16:50
Send private message

So a Joomla install where they didn't keep up with security patches.

Probably paid a one off fee for a website development with no ongoing support/maintenance for updates.  



Tel69
255 posts

Ultimate Geek
+1 received by user: 4

Trusted
Lifetime subscriber

  Reply # 888429 2-Sep-2013 17:50
Send private message

LOL, a reply from the company concerned to my pointing out about the edit button.

"Terry
Thanks for your help
I have been unable to get hold of my IT guy all day (wondered if he had been hijacked along with website!)
OMG I had never noticed the edit button
Don't think there's anything that can do any harm but if you can see how they get in would be interested

Thanks
Debbie"

2916 posts

Uber Geek
+1 received by user: 314


  Reply # 888435 2-Sep-2013 18:07
Send private message

I've seen a few smalltown business around the country advertising fully usable websites. They DL a Joomla or similar template, customise it for you, set up a domain, slap it on a VM with a quick CMS edit how-to and then charge monthly basic maintenance for it and any support..

Most people are none the wiser that you can do that sort of thing themselves without too much trouble.

Then again, at least they usually keep the versions up to date if they are on their own VM and not just handing off to a US server

3229 posts

Uber Geek
+1 received by user: 924

Trusted

  Reply # 888436 2-Sep-2013 18:08
Send private message

I'm really not seeing what the issue is with that edit button other than it looking a bit sloppy.... perhaps you should point out that adding /administrator to their url opens up another "attack vector"?

http://www.washingtons.co.nz/administrator/


Really though, most CMSs will have something like that and if you can guess what the CMS is you can guess the URL even without a link. Most will have options for brute force mitigation and always try to educate users to pick decent passwords. And yeah, keep up on the patches.



Tel69
255 posts

Ultimate Geek
+1 received by user: 4

Trusted
Lifetime subscriber

  Reply # 888461 2-Sep-2013 18:38
Send private message

Yeah, as I said a few things interested me for attack vectors.
That was another one, (although default, still not on their main page).
I spose I just don't like buttons saying edit from an internet facing front end.

8027 posts

Uber Geek
+1 received by user: 387

Trusted
Subscriber

  Reply # 889254 3-Sep-2013 21:10
Send private message

The site is now returning an internal error (http status 500), oh dear.

2080 posts

Uber Geek
+1 received by user: 373

Trusted

  Reply # 889283 3-Sep-2013 21:48
Send private message

Ragnor: The site is now returning an internal error (http status 500), oh dear.

Geekzone hug of death?

14454 posts

Uber Geek
+1 received by user: 1904


  Reply # 889298 3-Sep-2013 22:18
Send private message

Oblivian: I've seen a few smalltown business around the country advertising fully usable websites. They DL a Joomla or similar template, customise it for you, set up a domain, slap it on a VM with a quick CMS edit how-to and then charge monthly basic maintenance for it and any support..

Most people are none the wiser that you can do that sort of thing themselves without too much trouble.

Then again, at least they usually keep the versions up to date if they are on their own VM and not just handing off to a US server


Actually unless you know how to do it, it isn't that easy to do, and it is a learning curve. You have to have a fair bit of knowledge to do it, and to sort out any techncial issues. One of the problems is that people expect web design for next to nothing these days, and one of the ways is to use a CMS like joomla, buy a template, customise it, and then insert content etc, to do it as quickly as possible. The thing is they need to keep it all up to date, so these companies should regularly contact their web designers to regularly update the CMS and the template for them, which all takes time and costs money to do. As many companies websites hardly change, I do sometime wonder why some companies bother having a CMS, and don't just stick to a static website.

9 posts

Wannabe Geek


  Reply # 889329 3-Sep-2013 22:44
Send private message

mattwnz: As many companies websites hardly change, I do sometime wonder why some companies bother having a CMS, and don't just stick to a static website.


The most common feature request I receive is: I'd like to update the site content myself.
In reality, once live the client never bothers.

14454 posts

Uber Geek
+1 received by user: 1904


  Reply # 889334 3-Sep-2013 22:51
Send private message

clanmouse:
mattwnz: As many companies websites hardly change, I do sometime wonder why some companies bother having a CMS, and don't just stick to a static website.


The most common feature request I receive is: I'd like to update the site content myself.
In reality, once live the client never bothers.


Not only that, but they then want the web designer to update the content anyway, because they then don't want to be bothered using the CMS, or adding images to the website with it is too hard. 



Tel69
255 posts

Ultimate Geek
+1 received by user: 4

Trusted
Lifetime subscriber

  Reply # 889823 4-Sep-2013 17:20
Send private message

mattwnz:
clanmouse:
mattwnz: As many companies websites hardly change, I do sometime wonder why some companies bother having a CMS, and don't just stick to a static website.


The most common feature request I receive is: I'd like to update the site content myself.
In reality, once live the client never bothers.


Not only that, but they then want the web designer to update the content anyway, because they then don't want to be bothered using the CMS, or adding images to the website with it is too hard. 


Yup. Seen that a few times. (Or the infamous show this temp, she/he knows computers) then you get called about images or pages not working.

Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Geekzone Live »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.