people have bad security.
Every now and then this pisses me off, but I'm more pissed off than normal
about it today so I thought I'd share it.
I don't know if anyone has checked out the Eisa website (the ISP that would
be king) but this is a damn fine case in point of Linux and unix in general
gets a bad rap because of poor security. Remember, you're machine is only as
secure as the swiss chesse you're running on it.
I'm not sure if doing this is kosher, but more the general protection of
folks out there who have used Eisa I think it's important.
Machine: wzzx.eisa.net.au
Function: Eisa oinline signup server (remember this). Accepts and processes
online signups including credit card handling.
Details: Without poking too heavily it's a linux box running, wait for it,
Apache 1.0.5. Forms posted to it for signup processing go through the
database system mSQL. Probably some 2.0x version.
The problem: mSQL is any flavour is pretty horrid as far as security goes.
Buffer overruns etc abound. One notable bug was that you could telnet to the
mSQL port, press ctrl-C and bye bye server.
Other problems include the ability to overflow the buffer that w3-sql (the
scripting engine add-on) uses to get the script name to process and crash
the server and there a freely available remote exploits out on the net to
gain shell access on a machine running mSSQL. One good one opened up an
xterm for you :)
That's bad enough but here's the kicker. The forms posted to it are firstly
not encrypted. Plain old HTTP for that including username, password and card
details but they're also posted in the URL query string. Yes that's correct
- the URL.
Remember those remote exploits? This is script kiddie styuff. How trivial is
it to gain a shell and then simply suck back the Apache access log to pull
out all the query strings? It's some script kiddies wet dream!
I mailed them ages ago to offer to fix it for them but of course no
response.
Come on! This is the company that wanted to buy Ozemail. Thank god that fell
through...
Why does this bother me? If I was an Eisa customer or even an ex-Eisa
customer with my details sitting on that server waiting for someone to come
along, I'd be getting on that phone pretty darn quick. I also hope that
other people will nag them into doing something about it or shame them into
it.
Cheers,
Graeme
--
Turn on, dial in, geek out...
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug
