Mailing List Archive

Two biggest Indian University Websites are vulnerable
Topic:

a) Sikkim Manipal University portal is vulnerable to SQL Injection attack.
b) Calcutta University website is spreading malware via iframe code
insertion.

Details:

a) About the university: Sikkim Manipal is one of the largest private
University in India. The Institute attracts students from all over the
country, with over 1700 students enrolled in the various engineering
disciplines. 102 full-time faculties are employed.

Type of problem: SQL Injection

Vulnerable Portal: http://portal.smude.edu.in/

User Name: *sanjay*
[any name will work]
Password: *' OR ''='
*Choose "*Center Login*" radio button
Press SUBMIT.

Screenshot: http://www.isolutionindia.com/isolutionindia/disclosure/SM.JPG

Effect: You have access to the main admin panel. Option to download & print
ALL student records, contact information, admit cards for upcoming
examinations, assignments, results, etc. Option to change password.

Credit: Pradip Sharma, Surajit Biswas, Sandeep Sengupta; Cyber Security
Research Analysts, iSolution Software Systems Pvt. Ltd.,
www.isolutionindia.com

b) Calcutta University is the oldest existing University in Indian
Subcontinent. Founded 1857, it is ranked 39th in the world.

Vulnerability: The main page is spreading virus. www.caluniv.ac.in
It has iframe code injection & pulling virus from the Russian site
pantscow.ru
Hundreds will be infected while checking for results on the website.

Screenshot: http://www.isolutionindia.com/isolutionindia/disclosure/CU.JPG

Credit: Arnab Kanti Choudhury, Sandeep Sengupta; Cyber Security Research
Analysts, iSolution Software Systems Pvt. Ltd., www.isolutionindia.com

Disclaimer: The above information has been published with intention that the
concerned authorities will take notice & amend the bugs. People are
requested not to use the above information for illegal actions. We take no
responsibility of the consequences.

Thanks.

Cyber Security Research Team
iSolution Software Systems Pvt. Ltd.
www.isolutionindia.com*
Mob: +91 9830310550
*
Re: Two biggest Indian University Websites are vulnerable [ In reply to ]
Hi,

Considering the fact you didn't inform the concern authority at both
the universities (before disclosing publicly), are you not breaking
Indian IT Act by doing such type of public disclosure [1]? IANAL but
if you (someone else on list) have something to say about this point
it would be cool.

[1] IT Act 2000, Chapter 9, 43 (G) (
http://www.cybercellmumbai.com/cyber-laws/chapter-9 )

Regards

Shreyas Zare

Sr. Information Security Researcher
Secfence Technologies
www.secfence.com


On Sat, Jul 17, 2010 at 3:01 PM, Sandeep Sengupta
<sandeep.sengupta@gmail.com> wrote:
> Topic:
>
> a) Sikkim Manipal University portal is vulnerable to SQL Injection attack.
> b) Calcutta University website is spreading malware via iframe code
> insertion.
>
> Details:
>
> a) About the university: Sikkim Manipal is one of the largest private
> University in India. The Institute attracts students from all over the
> country, with over 1700 students enrolled in the various engineering
> disciplines. 102 full-time faculties are employed.
>
> Type of problem: SQL Injection
>
> Vulnerable Portal: http://portal.smude.edu.in/
>
> User Name: sanjay
> [any name will work]
> Password: ' OR ''='
> Choose "Center Login" radio button
> Press SUBMIT.
>
> Screenshot: http://www.isolutionindia.com/isolutionindia/disclosure/SM.JPG
>
> Effect: You have access to the main admin panel. Option to download & print
> ALL student records, contact information, admit cards for upcoming
> examinations, assignments, results, etc. Option to change password.
>
> Credit: Pradip Sharma, Surajit Biswas, Sandeep Sengupta; Cyber Security
> Research Analysts, iSolution Software Systems Pvt. Ltd.,
> www.isolutionindia.com
>
> b) Calcutta University is the oldest existing University in Indian
> Subcontinent. Founded 1857, it is ranked 39th in the world.
>
> Vulnerability: The main page is spreading virus. www.caluniv.ac.in
> It has iframe code injection & pulling virus from the Russian site
> pantscow.ru
> Hundreds will be infected while checking for results on the website.
>
> Screenshot: http://www.isolutionindia.com/isolutionindia/disclosure/CU.JPG
>
> Credit: Arnab Kanti Choudhury, Sandeep Sengupta; Cyber Security Research
> Analysts, iSolution Software Systems Pvt. Ltd., www.isolutionindia.com
>
> Disclaimer: The above information has been published with intention that the
> concerned authorities will take notice & amend the bugs. People are
> requested not to use the above information for illegal actions. We take no
> responsibility of the consequences.
>
> Thanks.
>
> Cyber Security Research Team
> iSolution Software Systems Pvt. Ltd.
> www.isolutionindia.com
> Mob: +91 9830310550
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: Two biggest Indian University Websites are vulnerable [ In reply to ]
I also like how you credited 2 people for what was effectively Firefox
telling you a website was unsafe, and 3 people for a login SQL.

On Sat, Jul 17, 2010 at 12:47 PM, Shreyas Zare <shreyas@secfence.com> wrote:
> Hi,
>
> Considering the fact you didn't inform the concern authority at both
> the universities (before disclosing publicly), are you not breaking
> Indian IT Act by doing such type of public disclosure [1]? IANAL but
> if you (someone else on list) have something to say about this point
> it would be cool.
>
> [1] IT Act 2000, Chapter 9, 43 (G) (
> http://www.cybercellmumbai.com/cyber-laws/chapter-9 )
>
> Regards
>
> Shreyas Zare
>
> Sr. Information Security Researcher
> Secfence Technologies
> www.secfence.com
>
>
> On Sat, Jul 17, 2010 at 3:01 PM, Sandeep Sengupta
> <sandeep.sengupta@gmail.com> wrote:
>> Topic:
>>
>> a) Sikkim Manipal University portal is vulnerable to SQL Injection attack.
>> b) Calcutta University website is spreading malware via iframe code
>> insertion.
>>
>> Details:
>>
>> a) About the university: Sikkim Manipal is one of the largest private
>> University in India. The Institute attracts students from all over the
>> country, with over 1700 students enrolled in the various engineering
>> disciplines. 102 full-time faculties are employed.
>>
>> Type of problem: SQL Injection
>>
>> Vulnerable Portal: http://portal.smude.edu.in/
>>
>> User Name: sanjay
>> [any name will work]
>> Password: ' OR ''='
>> Choose "Center Login" radio button
>> Press SUBMIT.
>>
>> Screenshot: http://www.isolutionindia.com/isolutionindia/disclosure/SM.JPG
>>
>> Effect: You have access to the main admin panel. Option to download & print
>> ALL student records, contact information, admit cards for upcoming
>> examinations, assignments, results, etc. Option to change password.
>>
>> Credit: Pradip Sharma, Surajit Biswas, Sandeep Sengupta; Cyber Security
>> Research Analysts, iSolution Software Systems Pvt. Ltd.,
>> www.isolutionindia.com
>>
>> b) Calcutta University is the oldest existing University in Indian
>> Subcontinent. Founded 1857, it is ranked 39th in the world.
>>
>> Vulnerability: The main page is spreading virus. www.caluniv.ac.in
>> It has iframe code injection & pulling virus from the Russian site
>> pantscow.ru
>> Hundreds will be infected while checking for results on the website.
>>
>> Screenshot: http://www.isolutionindia.com/isolutionindia/disclosure/CU.JPG
>>
>> Credit: Arnab Kanti Choudhury, Sandeep Sengupta; Cyber Security Research
>> Analysts, iSolution Software Systems Pvt. Ltd., www.isolutionindia.com
>>
>> Disclaimer: The above information has been published with intention that the
>> concerned authorities will take notice & amend the bugs. People are
>> requested not to use the above information for illegal actions. We take no
>> responsibility of the consequences.
>>
>> Thanks.
>>
>> Cyber Security Research Team
>> iSolution Software Systems Pvt. Ltd.
>> www.isolutionindia.com
>> Mob: +91 9830310550
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: Two biggest Indian University Websites are vulnerable [ In reply to ]
1. we spoke to Univ system admin over the phone yesterday. They are
aware of the problem. Now upto them how much time they will take to
rectify it. We hope they atleast have the wisdom to bring the site
down till it is debugged. They have the wisest men working for them,
after all.

2. In reply to other email from Benji, discovery consists of what
everyone has seen & thinking what nobody has thought. I had the option
of keeping quiet, but that would have kept the issue lingering &
hundreds of students would have suffered. Univ officials need to wake
up fast.

3. The matter has been published by press today morning. I have put on
full disclosure more than 12 hours later.

Warm regards,
Sandeep

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: Two biggest Indian University Websites are vulnerable [ In reply to ]
But you clearly point out that Google had detected it aswell, thus
warning the users already.... (and it took 2 people on your part to
discover and screenshot this)

On Sat, Jul 17, 2010 at 1:03 PM, Sandeep Sengupta
<sandeep.sengupta@gmail.com> wrote:
> 1. we spoke to Univ system admin over the phone yesterday. They are
> aware of the problem. Now upto them how much time they will take to
> rectify it. We hope they atleast have the wisdom to bring the site
> down till it is debugged. They have the wisest men working for them,
> after all.
>
> 2. In reply to other email from Benji, discovery consists of what
> everyone has seen & thinking what nobody has thought. I had the option
> of keeping quiet, but that would have kept the issue lingering &
> hundreds of students would have suffered. Univ officials need to wake
> up fast.
>
> 3. The matter has been published by press today morning. I have put on
> full disclosure more than 12 hours later.
>
> Warm regards,
> Sandeep
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: Two biggest Indian University Websites are vulnerable [ In reply to ]
On Sat, 17 Jul 2010 17:33:44 +0530, Sandeep Sengupta said:
> 1. we spoke to Univ system admin over the phone yesterday. They are
> aware of the problem. Now upto them how much time they will take to
> rectify it. We hope they atleast have the wisdom to bring the site
> down till it is debugged.

That turns out to often be a harder decision than it looks. Taking the
website down has its own costs - nobody can do any of the things the website
supports. If you have good web logs and are fairly confident that you will
be able to detect and deal with any actual malicious activity, it may actually
make sense to keep the website up. It's tradeoffs - which costs more, the
possible damage done by an attack, or the *known* damage caused by an outage?
Re: Two biggest Indian University Websites are vulnerable [ In reply to ]
On Sat, Jul 17, 2010 at 8:03 AM, Sandeep Sengupta
<sandeep.sengupta@gmail.com> wrote:
> 1. we spoke to Univ system admin over the phone yesterday. They are
> aware of the problem.

The best I can tell from Shreyas link (if it is applicable),
disclosing to the University does not relieve or indemnify you from
provisions of 43 (G). Perhaps there's a section which allows public
disclosure after private disclosure?

> Now up to them how much time they will take to
> rectify it. We hope they at least have the wisdom to bring the site
> down till it is debugged. They have the wisest men working for them,
> after all.

Its unfortunate that the University did not jump high enough when you
clapped your hands. I suppose a 12-hour is better than a 0-day. Even
Ormandy gave Microsoft about a man-week for the help center
vulnerability (debatable, but somewhere around the truth).

> 2. In reply to other email from Benji, discovery consists of what
> everyone has seen & thinking what nobody has thought. I had the option
> of keeping quiet, but that would have kept the issue lingering &
> hundreds of students would have suffered.
You forgot to mention the other options at your disposal.

> Univ officials need to wake up fast.
Oh, I see - a political statement - you're grinding an axe. You really
should not claim altruisms ("I did it for the students"). Perhaps it
was also a bit of advertisement for iSolution Software Systems Pvt
Ltd, which is clearly not altruistic.

>
> 3. The matter has been published by press today morning. I have put on
> full disclosure more than 12 hours later.
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: Two biggest Indian University Websites are vulnerable [ In reply to ]
This is in reply to all those emails which were sent to me privately. I felt
another full-disclosure is needed to make few things clear. I do not have
time to write back to each one of the critics.

----------- My conversation with SMU (you will enjoy it) ---------------

1. Searched google & found their website. Went to contact us page & found
the phone number of Dean / Director.

2. Called 91-0820-4297000.

3. A lady picks up.
SMU: "Good afternoon, SMU"
Sandeep: "Good afternoon ma'am. I am not a student of SMU. I want to ..."
SMU: "Call the helpdesk" .. *hangs up*

Called 91-0820-4297000 again.
*Rinnnnnnnnnngggg*
SMU: "Good afternoon, SMU"
Sandeep: "Hello, do not hang up please. I want to report a problem about
your site. Your website can be hacked. I am NOT a student. I want to speak
to Dean or System Admin. I mean someone senior."
SMU: *raised voice* "I am just the receptionist. Call the helpdesk"

*transfers line to helpdesk*
*Rinnnnnnnnnngggg*
*Lady picks up*
Helpdesk: "Good afternoon, how can I help you"
Sandeep: "I think I can help you. Your site is prone to hack attack. I want
to talk to someone senior".
Helpdesk: "Sir, I don't think your information is correct"
Sandy: "Grrrrr .. see .. I am not student of yours. I am a senior security
professional working in this field for many years. If you want the
information, I can explain you, if you don't want, that's your choice."
Helpdesk: "You need to speak to the IT dept".
Sandy: "And what's the number?"
Helpdesk: "It is ... ". (i forgot now, wrote it on notepad)
Sandy: "Does this number belong to someone from SMU or is this a 3rd party
outsourcing company contact number?".
Helpdesk: "No, it belongs to SMU own IT dept in Bangalore".
Sandy: "Okay, fine, thanks."

Calls the IT Dept number.
*Rinnnnnnnnnngggg*
*Lady picks up*
IT Dept: "Good afternoon"
Sandy: "Good afternoon. Is this SMU IT Dept?"
IT Dept: "That's right".
Sandy: "Your website is prone to SQL injection attack. I want to talk to
system admin".
IT Dept: "regarding what?"
Sandy: "You have a website at portal.smude.edu.in. Right?"
IT Dept: "Yes".
Sandy: "That can be hacked. If you want to know more about it, please let me
talk to the system admin".
IT Dept: "Please hold".

*A guy answers*
Sys Admin: Hello, this is Sameer.
Sandy: Are you the system admin.
Sys: You may speak to me.
Sandy: Okay. Your website is prone to SQL Injection attack.
Sys: how?
Sandy: Go to portal.smude.edu.in. use any user name, like "sanjay". And then
use a SQL injection code. And you can see.
*silence*
Sandy: You know what is SQL Injection. Right?
Sys: Hmmm
Sandy: Send me your email id. I will send you step by step guidelines. 1000s
of students' confidential information is stake. You need to act fast.

*took the email id & sent to Dean, Sameer, Controller & all the SMU email
ids I can find.

Effect: Though they may not be that technically sound, they have tried their
bit by adding a new page "indexHomenew.asp", which somehow stopped the SQL
injection reported.

----------- My communication with Calcutta University ---------------

They are the elite university. They atleast had the courtesy to send an
acknowledgment after the telecon. Appreciated that. Here is the email they
have sent.

On 7/16/10, changededthis@caluniv.ac.in wrote:

Dear Mr. Sandeep

Many thanks for your suggestions.

We are trying to sort out the problem

Regards
Soumitra Sarkar

Effect: The issue has been resolved.

------------------

My message to all the critics: We have the knowledge & alertness to detect a
vulnerability, and a good sense of responsibility to take all the trouble to
get the information to the concerned authorities, and finally getting the
issues resolved. That was followed by a full disclosure, as the list is
meant for that. We didn't do it for any appreciation, though a few of them
would have surely made the team happy :) Sadly, whatever poured in was
criticism. My advice to all the critics is not to waste your time in
dissecting what we have done. Find a vulnerability, report it, get it
resolved & let us know. If you can not find one, you may be wasting too much
time thinking what others are doing. Amen !!

Warm regards,

Sandeep Sengupta

iSolution Software Systems Pvt. Ltd.
www.isolutionindia.com
Mob: +91 9830310550

India Office:
D-24 Katju Nagar (1st Floor),
Kolkata - 700032

Singapore Office:
17 Phillip Street #06-00
Grand Building, Singapore - 048695

On 7/21/10, samrat ashok <samrat.ashok0wns@gmail.com> wrote:
>
> LOL....sorry to say this Sandeep Sengupta (Cyber Security Research
> Analyst). But this is one of the most lame and funny disclosures I have seen
> here on Full Disclosure. You just sound like mustlive. Do you really think
> that admin of these websites even knew about Full Disclosure? I sam saying
> this because the storming SQL injection looks more like practicing on
> webgoat. If you can find such thing on a website how can you expect them to
> even know abt FD.
>
> You really tried to make some market for your company but for me its really
> funny. Peace..
>
> Samrat