Electric Picnic site Vulnerable...

30-04-2011 11:26pm #1

Electric Picnic is vulnerable too.

Picnic admins, PM me for details...

ifah · 03-05-2011 1:05pm

900913 wrote: »

Electric Picnic is vulnerable too.

Picnic admins, PM me for details...

900913 - just a question.

I assume that you are not identifying these vulnerabilities purely by accessing a website, but that you are running some kind of manual/automated scan across them. Where does this fit into the Terms of Usage of these sites and certain Legalities around pen testing sites ? And how have you squared this awa ywith the owners of the sites ?

dlofnep · 04-05-2011 5:06pm

I assume he's manually checking. So long as he doesn't damage the site, or steal any details, and is informing them free of charge - I wouldn't see it as a big deal. Is it a wee bit gray-hat? Sure. But it's better someone with good intentions informs them, instead of someone with malicious intentions not informing them.

05-05-2011 7:03pm

They returned my email and said, "We will let our web guys know".

*edit
yesterday at 6pm got the email.

So it should be fixed soon.

ifah · 05-05-2011 11:01pm

dlofnep wrote: »

I assume he's manually checking. So long as he doesn't damage the site, or steal any details, and is informing them free of charge - I wouldn't see it as a big deal. Is it a wee bit gray-hat? Sure. But it's better someone with good intentions informs them, instead of someone with malicious intentions not informing them.

Oh - I agree it's not a big deal and is a very light shade of grey!

I've done similar to the owners of several sites i've come across with vulnerabilities (it's almost a habit to start messing with the url's) and in all cases the site owners have received the info very gratefully but on the flip side in every case where there has been any contact with the web developers or IT support people it's been very agressive and defensive ....

wolfric · 06-05-2011 1:46am

and many a case where the company turns around and sues you if they're big enough. Although that depends on how far you go to verify an "issue."

08-05-2011 9:06am

Still not fixed after 4 days.

25-05-2011 1:39pm

I don't think they are going to fix it.

Sqli with XSS alert:
http://www.electricpicnic.ie/inner.php?locID=-113001+UnIoN+AlL+sElEcT+1,2,3,4,5,6,7,concat_ws(0x3a,user(),database(),version()),0x3C7363726970743E616C65727428275468652053716C20496E6A656374696F6E205374696C6C2049736E7420466978656427293B3C2F7363726970743E,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32--+-

dlofnep · 25-05-2011 2:04pm

It's pure lazyness. Takes only a minute to secure a variable from SQLi.

25-05-2011 2:11pm

They did something to it. The Injection changed from 30 to 32 columns.

Maybe that was their attempt at fixing it.

dlofnep · 25-05-2011 2:27pm

900913 wrote: »

They did something to it. The Injection changed from 30 to 32 columns.

Maybe that was their attempt at fixing it.

That wouldn't fix it. The problem exists within an unfiltered variable. They are passing a variable at some point in their script to MySQL, without it being screened first. I don't know how web-developers get these jobs, when it's clear while they have the ability to develop a full functioning dynamic website - they are either too lazy to secure it, or haven't bothered to look into how to secure websites.

25-05-2011 3:07pm

Their Forbibben Fruit and Body and Soul Festivals sites have the same vulnerable script.

inurl:"inner.php?locID="

Four out of the eight sites on their server have sql injection vulnerablities.

dlofnep · 25-05-2011 3:53pm

This company designed the site. It's possible that many other client websites have vulnerabilities.

25-05-2011 4:10pm

dlofnep wrote: »

This company designed the site. It's possible that many other client websites have vulnerabilities.

They do the tv3.ie site and it was vulnerable to sqli for over 2 years, They only fixed it around the start of the year.

dlofnep · 25-05-2011 4:29pm

Blind SQLi on another one of their sites. Hm..

LoLth · 25-05-2011 5:16pm

Have you contacted DV4 to let them know that the sites they produce are vulnerable or did you contact the electric picnic organisers?

25-05-2011 5:27pm

LoLth wrote: »

Have you contacted DV4 to let them know that the sites they produce are vulnerable or did you contact the electric picnic organisers?

I contacted clare from pod.ie 3 weeks ago and I have emailed dv4 over a year ago.

LoLth · 25-05-2011 6:02pm

900913 wrote: »

I have emailed dv4 over a year ago.

not much more I can say other than

:eek:

Electric Picnic site Vulnerable...

Comments