Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


Tel69

Tel69
261 posts

Ultimate Geek

Trusted
Lifetime subscriber

#129056 2-Sep-2013 16:28
Send private message

Sorry if there is a convo on this already, but I thought this the best place to post.
So I was reading stuff and came across some business website in Timaru got hacked.
I'm sure we have all seen it, but here it is if you have not

So I decide to take a look at this website when I get home (out of curisitory).
Looks OK for a small business website, but some obvious avenues of infultration.
The HOME has an edit drop down that takes you to a login page. LOL
Perfect chance for SQL injection there and they are not even hiding the edit function.
There are other possibilites, but that one was funny.

Small company yes, but they learnt the hard way.
I'd say they got pinged because with the US threatening to hit Syria and their company name being Washingtons.

Tel

Create new topic
sidefx
3711 posts

Uber Geek

Trusted

  #888386 2-Sep-2013 16:40
Send private message


The HOME has an edit drop down that takes you to a login page. LOL
Perfect chance for SQL injection there and they are not even hiding the edit function.


While it's odd having that on the menu, just showing that and having a login page doesn't open you up to sql injection... sql injection is where you're running un-santized\un-escaped input from the user directly against the database. I can't see any indication of this there. 




"I was born not knowing and have had only a little time to change that here and there."         | Octopus Energy | Sharesies
              - Richard Feynman




Tel69

Tel69
261 posts

Ultimate Geek

Trusted
Lifetime subscriber

  #888387 2-Sep-2013 16:42
Send private message

Yes, but opens up another possibility to inject into the username and password inputs on the form to see if it's possible.
I was just saying it's an attack vector you'd not normally see that easily.

Ragnor
8218 posts

Uber Geek

Trusted

  #888390 2-Sep-2013 16:50
Send private message

So a Joomla install where they didn't keep up with security patches.

Probably paid a one off fee for a website development with no ongoing support/maintenance for updates.  



Tel69

Tel69
261 posts

Ultimate Geek

Trusted
Lifetime subscriber

  #888429 2-Sep-2013 17:50
Send private message

LOL, a reply from the company concerned to my pointing out about the edit button.

"Terry
Thanks for your help
I have been unable to get hold of my IT guy all day (wondered if he had been hijacked along with website!)
OMG I had never noticed the edit button
Don't think there's anything that can do any harm but if you can see how they get in would be interested

Thanks
Debbie"

Oblivian
7296 posts

Uber Geek

ID Verified

  #888435 2-Sep-2013 18:07
Send private message

I've seen a few smalltown business around the country advertising fully usable websites. They DL a Joomla or similar template, customise it for you, set up a domain, slap it on a VM with a quick CMS edit how-to and then charge monthly basic maintenance for it and any support..

Most people are none the wiser that you can do that sort of thing themselves without too much trouble.

Then again, at least they usually keep the versions up to date if they are on their own VM and not just handing off to a US server

sidefx
3711 posts

Uber Geek

Trusted

  #888436 2-Sep-2013 18:08
Send private message

I'm really not seeing what the issue is with that edit button other than it looking a bit sloppy.... perhaps you should point out that adding /administrator to their url opens up another "attack vector"?

http://www.washingtons.co.nz/administrator/


Really though, most CMSs will have something like that and if you can guess what the CMS is you can guess the URL even without a link. Most will have options for brute force mitigation and always try to educate users to pick decent passwords. And yeah, keep up on the patches.




"I was born not knowing and have had only a little time to change that here and there."         | Octopus Energy | Sharesies
              - Richard Feynman


Tel69

Tel69
261 posts

Ultimate Geek

Trusted
Lifetime subscriber

  #888461 2-Sep-2013 18:38
Send private message

Yeah, as I said a few things interested me for attack vectors.
That was another one, (although default, still not on their main page).
I spose I just don't like buttons saying edit from an internet facing front end.

 
 
 

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.
Ragnor
8218 posts

Uber Geek

Trusted

  #889254 3-Sep-2013 21:10
Send private message

The site is now returning an internal error (http status 500), oh dear.

nickb800
2715 posts

Uber Geek

Trusted

  #889283 3-Sep-2013 21:48
Send private message

Ragnor: The site is now returning an internal error (http status 500), oh dear.

Geekzone hug of death?

mattwnz
20141 posts

Uber Geek


  #889298 3-Sep-2013 22:18
Send private message

Oblivian: I've seen a few smalltown business around the country advertising fully usable websites. They DL a Joomla or similar template, customise it for you, set up a domain, slap it on a VM with a quick CMS edit how-to and then charge monthly basic maintenance for it and any support..

Most people are none the wiser that you can do that sort of thing themselves without too much trouble.

Then again, at least they usually keep the versions up to date if they are on their own VM and not just handing off to a US server


Actually unless you know how to do it, it isn't that easy to do, and it is a learning curve. You have to have a fair bit of knowledge to do it, and to sort out any techncial issues. One of the problems is that people expect web design for next to nothing these days, and one of the ways is to use a CMS like joomla, buy a template, customise it, and then insert content etc, to do it as quickly as possible. The thing is they need to keep it all up to date, so these companies should regularly contact their web designers to regularly update the CMS and the template for them, which all takes time and costs money to do. As many companies websites hardly change, I do sometime wonder why some companies bother having a CMS, and don't just stick to a static website.

clanmouse
9 posts

Wannabe Geek


  #889329 3-Sep-2013 22:44
Send private message

mattwnz: As many companies websites hardly change, I do sometime wonder why some companies bother having a CMS, and don't just stick to a static website.


The most common feature request I receive is: I'd like to update the site content myself.
In reality, once live the client never bothers.

mattwnz
20141 posts

Uber Geek


  #889334 3-Sep-2013 22:51
Send private message

clanmouse:
mattwnz: As many companies websites hardly change, I do sometime wonder why some companies bother having a CMS, and don't just stick to a static website.


The most common feature request I receive is: I'd like to update the site content myself.
In reality, once live the client never bothers.


Not only that, but they then want the web designer to update the content anyway, because they then don't want to be bothered using the CMS, or adding images to the website with it is too hard. 

Tel69

Tel69
261 posts

Ultimate Geek

Trusted
Lifetime subscriber

  #889823 4-Sep-2013 17:20
Send private message

mattwnz:
clanmouse:
mattwnz: As many companies websites hardly change, I do sometime wonder why some companies bother having a CMS, and don't just stick to a static website.


The most common feature request I receive is: I'd like to update the site content myself.
In reality, once live the client never bothers.


Not only that, but they then want the web designer to update the content anyway, because they then don't want to be bothered using the CMS, or adding images to the website with it is too hard. 


Yup. Seen that a few times. (Or the infamous show this temp, she/he knows computers) then you get called about images or pages not working.

Create new topic





News and reviews »

Air New Zealand Starts AI adoption with OpenAI
Posted 24-Jul-2025 16:00


eero Pro 7 Review
Posted 23-Jul-2025 12:07


BeeStation Plus Review
Posted 21-Jul-2025 14:21


eero Unveils New Wi-Fi 7 Products in New Zealand
Posted 21-Jul-2025 00:01


WiZ Introduces HDMI Sync Box and other Light Devices
Posted 20-Jul-2025 17:32


RedShield Enhances DDoS and Bot Attack Protection
Posted 20-Jul-2025 17:26


Seagate Ships 30TB Drives
Posted 17-Jul-2025 11:24


Oclean AirPump A10 Water Flosser Review
Posted 13-Jul-2025 11:05


Samsung Galaxy Z Fold7: Raising the Bar for Smartphones
Posted 10-Jul-2025 02:01


Samsung Galaxy Z Flip7 Brings New Edge-To-Edge FlexWindow
Posted 10-Jul-2025 02:01


Epson Launches New AM-C550Z WorkForce Enterprise printer
Posted 9-Jul-2025 18:22


Samsung Releases Smart Monitor M9
Posted 9-Jul-2025 17:46


Nearly Half of Older Kiwis Still Write their Passwords on Paper
Posted 9-Jul-2025 08:42


D-Link 4G+ Cat6 Wi-Fi 6 DWR-933M Mobile Hotspot Review
Posted 1-Jul-2025 11:34


Oppo A5 Series Launches With New Levels of Durability
Posted 30-Jun-2025 10:15









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.