as the readers of this Website might have noticed, I was recently in Berlin at the CCC Congress. I had the chance to meet several Hackers which are really awesome skilled in getting informations out of the Web you might not expect.
Eager to try that out myself, I found some Websites in the Web, that show some information you should not see.
Anyone here that knows about SQL Ledger? I suppose not that many. SQL Ledger is a webbased Tool which is a complete CRM - means you can manage the clients contact info and their invoices and your stock of products inside that.
Second, we got a Webhosting company. I do not have any relationship to them, neither did I know them before. All I did was a Google Query that someone showed me at the congress_
Then I found out this:
bild-1
What went wrong here?
- I got Full Rights on the Database server - I could erase or create or change anything - e.g I can mark an invoice as unpaid and let them have fun resolve the issue
- I got a full List of Credit Card Expiry Dates and Names
- I got a Adress List of the referring People
- If I setup SQL ledger myself and Bruteforce the Creditcard information, I can get good information and buy me what I want
Why did that go wrong?
- Thou shall setup Mysql on a Public Server without a Password
- Thou shall not setup your customer information System on a HTTP Connection (did not the trick here, but it is a “FAIL” too)
- Thou shall not allow google to index your unsecured phpmyadmin! Use robots.txt wisely!
I will contact the Hosting company that has this security flaw and will post any updates if they dont react - I have the power to even dump their SQL Files and do whatever I want with it. Imagine to combined that with DNS Poisoning and I could get their Clients to login to MY rogue CRM System and give them fake invoices with my Account information instead so I get the money.
This - I could even do that on the existing System. Do YOU frequently check on your client invoices noone did modify the bank account number? I suppose not!
Do you know if your system is safe? You can have me have a look at it. I work with a Team of skilled People experienced in finding security holes in Webapps and infrastructure.