Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




Tel69
258 posts

Ultimate Geek

Trusted
Lifetime subscriber

# 129056 2-Sep-2013 16:28
Send private message

Sorry if there is a convo on this already, but I thought this the best place to post.
So I was reading stuff and came across some business website in Timaru got hacked.
I'm sure we have all seen it, but here it is if you have not

So I decide to take a look at this website when I get home (out of curisitory).
Looks OK for a small business website, but some obvious avenues of infultration.
The HOME has an edit drop down that takes you to a login page. LOL
Perfect chance for SQL injection there and they are not even hiding the edit function.
There are other possibilites, but that one was funny.

Small company yes, but they learnt the hard way.
I'd say they got pinged because with the US threatening to hit Syria and their company name being Washingtons.

Tel

Create new topic
3321 posts

Uber Geek

Trusted

  # 888386 2-Sep-2013 16:40
Send private message


The HOME has an edit drop down that takes you to a login page. LOL
Perfect chance for SQL injection there and they are not even hiding the edit function.


While it's odd having that on the menu, just showing that and having a login page doesn't open you up to sql injection... sql injection is where you're running un-santized\un-escaped input from the user directly against the database. I can't see any indication of this there. 



Tel69
258 posts

Ultimate Geek

Trusted
Lifetime subscriber

  # 888387 2-Sep-2013 16:42
Send private message

Yes, but opens up another possibility to inject into the username and password inputs on the form to see if it's possible.
I was just saying it's an attack vector you'd not normally see that easily.

 
 
 
 


8034 posts

Uber Geek

Trusted

  # 888390 2-Sep-2013 16:50
Send private message

So a Joomla install where they didn't keep up with security patches.

Probably paid a one off fee for a website development with no ongoing support/maintenance for updates.  



Tel69
258 posts

Ultimate Geek

Trusted
Lifetime subscriber

  # 888429 2-Sep-2013 17:50
Send private message

LOL, a reply from the company concerned to my pointing out about the edit button.

"Terry
Thanks for your help
I have been unable to get hold of my IT guy all day (wondered if he had been hijacked along with website!)
OMG I had never noticed the edit button
Don't think there's anything that can do any harm but if you can see how they get in would be interested

Thanks
Debbie"

3363 posts

Uber Geek


  # 888435 2-Sep-2013 18:07
Send private message

I've seen a few smalltown business around the country advertising fully usable websites. They DL a Joomla or similar template, customise it for you, set up a domain, slap it on a VM with a quick CMS edit how-to and then charge monthly basic maintenance for it and any support..

Most people are none the wiser that you can do that sort of thing themselves without too much trouble.

Then again, at least they usually keep the versions up to date if they are on their own VM and not just handing off to a US server

3321 posts

Uber Geek

Trusted

  # 888436 2-Sep-2013 18:08
Send private message

I'm really not seeing what the issue is with that edit button other than it looking a bit sloppy.... perhaps you should point out that adding /administrator to their url opens up another "attack vector"?

http://www.washingtons.co.nz/administrator/


Really though, most CMSs will have something like that and if you can guess what the CMS is you can guess the URL even without a link. Most will have options for brute force mitigation and always try to educate users to pick decent passwords. And yeah, keep up on the patches.



Tel69
258 posts

Ultimate Geek

Trusted
Lifetime subscriber

  # 888461 2-Sep-2013 18:38
Send private message

Yeah, as I said a few things interested me for attack vectors.
That was another one, (although default, still not on their main page).
I spose I just don't like buttons saying edit from an internet facing front end.

 
 
 
 


8034 posts

Uber Geek

Trusted

  # 889254 3-Sep-2013 21:10
Send private message

The site is now returning an internal error (http status 500), oh dear.

2299 posts

Uber Geek

Trusted

  # 889283 3-Sep-2013 21:48
Send private message

Ragnor: The site is now returning an internal error (http status 500), oh dear.

Geekzone hug of death?

15168 posts

Uber Geek


  # 889298 3-Sep-2013 22:18
Send private message

Oblivian: I've seen a few smalltown business around the country advertising fully usable websites. They DL a Joomla or similar template, customise it for you, set up a domain, slap it on a VM with a quick CMS edit how-to and then charge monthly basic maintenance for it and any support..

Most people are none the wiser that you can do that sort of thing themselves without too much trouble.

Then again, at least they usually keep the versions up to date if they are on their own VM and not just handing off to a US server


Actually unless you know how to do it, it isn't that easy to do, and it is a learning curve. You have to have a fair bit of knowledge to do it, and to sort out any techncial issues. One of the problems is that people expect web design for next to nothing these days, and one of the ways is to use a CMS like joomla, buy a template, customise it, and then insert content etc, to do it as quickly as possible. The thing is they need to keep it all up to date, so these companies should regularly contact their web designers to regularly update the CMS and the template for them, which all takes time and costs money to do. As many companies websites hardly change, I do sometime wonder why some companies bother having a CMS, and don't just stick to a static website.

9 posts

Wannabe Geek


  # 889329 3-Sep-2013 22:44
Send private message

mattwnz: As many companies websites hardly change, I do sometime wonder why some companies bother having a CMS, and don't just stick to a static website.


The most common feature request I receive is: I'd like to update the site content myself.
In reality, once live the client never bothers.

15168 posts

Uber Geek


  # 889334 3-Sep-2013 22:51
Send private message

clanmouse:
mattwnz: As many companies websites hardly change, I do sometime wonder why some companies bother having a CMS, and don't just stick to a static website.


The most common feature request I receive is: I'd like to update the site content myself.
In reality, once live the client never bothers.


Not only that, but they then want the web designer to update the content anyway, because they then don't want to be bothered using the CMS, or adding images to the website with it is too hard. 



Tel69
258 posts

Ultimate Geek

Trusted
Lifetime subscriber

  # 889823 4-Sep-2013 17:20
Send private message

mattwnz:
clanmouse:
mattwnz: As many companies websites hardly change, I do sometime wonder why some companies bother having a CMS, and don't just stick to a static website.


The most common feature request I receive is: I'd like to update the site content myself.
In reality, once live the client never bothers.


Not only that, but they then want the web designer to update the content anyway, because they then don't want to be bothered using the CMS, or adding images to the website with it is too hard. 


Yup. Seen that a few times. (Or the infamous show this temp, she/he knows computers) then you get called about images or pages not working.

Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Arlo unveils its first video doorbell
Posted 21-Oct-2019 08:27


New Zealand students shortlisted for James Dyson Award
Posted 21-Oct-2019 08:18


Norton LifeLock Launches Norton 360
Posted 21-Oct-2019 08:11


Microsoft New Zealand Partner Awards results
Posted 18-Oct-2019 10:18


Logitech introduces new Made for Google keyboard and mouse devices
Posted 16-Oct-2019 13:36


MATTR launches to accelerate decentralised identity
Posted 16-Oct-2019 10:28


Vodafone X-Squad powers up for customers
Posted 16-Oct-2019 08:15


D Link ANZ launches EXO Smart Mesh Wi Fi Routers with McAfee protection
Posted 15-Oct-2019 11:31


Major Japanese retailer partners with smart New Zealand technology IMAGR
Posted 14-Oct-2019 10:29


Ola pioneers one-time passcode feature to fight rideshare fraud
Posted 14-Oct-2019 10:24


Spark Sport new home of NZC matches from 2020
Posted 10-Oct-2019 09:59


Meet Nola, Noel Leeming's new digital employee
Posted 4-Oct-2019 08:07


Registrations for Sprout Accelerator open for 2020 season
Posted 4-Oct-2019 08:02


Teletrac Navman welcomes AI tech leader Jens Meggers as new President
Posted 4-Oct-2019 07:41


Vodafone makes voice of 4G (VoLTE) official
Posted 4-Oct-2019 07:36



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.