[AusNOG] Hacked site reports boy to police | theage.com.au

Robert Hudson hudrob at gmail.com
Thu Jan 9 09:51:21 EST 2014


I had a similar response ("my tummy feels funny", followed by months of
inactivity) when I informed Queensland Police of a flaw in their CMS (a
commonly used one amongst government departments at that time) that allowed
the injection of data into their website - basically, you could craft a URL
to reference an externally hosted text file, and the site would build a
media release based on it. Essentially, the site worked as such: hytps://
police.qld.gov.au/media-releases/document_source=file.txt - where file.txt
could be an externally hosted file of your choosing.  Using some
obfuscation, you could easily make the location of file.txt look legit.

I tried telling them about the problem, they didn't get it. So I sent them
a crafted URL with a story that I'd been promoted to be the head of police
in Qld. That at least got their attention.  To their credit, they didn't
try to pursue any sort of charges against me, just finally said "Right,
thanks, leave this with us, we'll tell the others who are using it too".
And within a few months, it was fixed, and about a year later the CMS was
no longer in use there or at Brisbane City Council.
On 08/01/2014 8:20 PM, "Tim March" <march.tim at gmail.com> wrote:

>
> Anyone know what the actual "hack" was? A couple of links I found
> implied he "found an old database while browsing," which just sounds
> like they had +Indexes and Google found it.
>
> FWIW I found a directory indexing issue in $GovAUAgency a couple of
> years back with db dumps, credentials, admin scripts, SSH keys, bash
> logs (lock, stock, the lot...) and tried to notify their infrastructure
> provider. It was a nightmare. I ended up talking Ralph
> Wiggum^H^H^H^H^H^H^H^H^H^H^Ha support punter through it on the phone...
>
>         "open your browser... now go to Google... Now search for
> 'site:$GovAUAgency filetype:sql'"
>
>         "What is it?"
>
>         "Umm... Show that to your security punters"
>
>         "My tummy feels funny *mouth breathing*"
>
>
> ... The site was like it for months afterwards.
>
> TL;DR; If the kid was Google hacking, responsibly disclosed and they
> called the Fuzz that's pretty poor form.
>
>
>
> T.
>
> On 8/01/14 10:35 PM, Damian Guppy wrote:
> > Oh Good. Now watch as prosecutors press the courts to enhance the
> > charges so he can be tried as an adult and sentenced to more time behind
> > bars than the latest murder.
> >
> > --Damian
> >
> >
> > On Wed, Jan 8, 2014 at 7:28 PM, Patrick Webster <patrick at aushack.com
> > <mailto:patrick at aushack.com>> wrote:
> >
> >
> http://m.theage.com.au/it-pro/security-it/hacked-site-reports-boy-to-police-20140108-hv7tl.html
> >
> >
> >     _______________________________________________
> >     AusNOG mailing list
> >     AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
> >     http://lists.ausnog.net/mailman/listinfo/ausnog
> >
> >
> >
> >
> > _______________________________________________
> > AusNOG mailing list
> > AusNOG at lists.ausnog.net
> > http://lists.ausnog.net/mailman/listinfo/ausnog
> >
>
> --
> PGP/GNUPG Public Key: http://d3vnu11.com/pub.key
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20140109/9d3034e0/attachment.html>


More information about the AusNOG mailing list