Vulnerabiltiy Found… Need Advice

Viewing 12 reply threads
  • Author
    Posts
    • #5011
      inf3kt1d
      Participant

      Fellow EH’s I need some advice. I was doing some GoogleFoo and found a site that had public access to a directory that held some shell scripts. I noticed one of them was named in a way that led me to believe that it may have some ‘login’ info in it. Sure enough it had the SA credentials for their MYSQL database. What is a good way to notify the site admin? I know the easy way is just to email them, but I know that some admins get a little upset when you discover a flaw in their system. I guess I really want to know:
      1) Legally I didn’t do anything wrong; am I correct? I didn’t download any data and found it with a “simple” google search…
      2) How do I approach the Admin in a way to let him/her know that I am trying to help them?
      3) Do any of you have any experience with something like this?

      Thanks in advance for any advice. I crawl around these forums often and appreciate all of the information that everyone provides. It has really helped me get from, “Yeah, I think security would be a cool thing to get into,” to “Wow! I’ve come a long way in a few months! This stuff is awesome!!!”

      -inf3KT1d

    • #31752
      Dengar13
      Participant

      Let that dog lie. 

      1.  No you didn’t, but delving further will push you into dangerous waters.

      2.  You don’t.

      3.  Yes, this can be found easily enough and unsolicited advice can get you into trouble.

      This is just my two cents and am sure others will chime in with their advice as well.

    • #31753
      Xen
      Participant

      I agree with Dengar and would advice you to just ignore it. GHDB has a lot of such vulnerable sites, would you go about notifying each one of them?

    • #31754
      inf3kt1d
      Participant

      I guess not…  ;D
      Just kinda feel bad if I know that this is open and someone completely FUBAR’s their DB. I do however see how it’s not my responsiblity to notify them if I don’t want to. It’s their responsibility to secure their stuff…

      Thanks for the advice Dengar13 and Equix3n-

      Just got a little excited because it is the first thing I’ve actually seen and not just read about; or simulated in my lab.

    • #31755
      rattis
      Participant

      I’m of 2 minds of this.

      If it was my network, I’d want someone to tell me so I can get it fixed. Usually by passing it back to the developers..

      On the other hand, I’m sure the company would be interested in putting you under a microscope with lawyers at the eye piece since you were doing reconnaissance against the network.

      Know what I mean?

    • #31756
      inf3kt1d
      Participant

      Yeah. That’s what I was the most afraid of. I don’t have anything to hide, but I also don’t want that kind of hassle. I also know the security policiy of the place I work at, and I wouldn’t want to be me microscoped end.

      Doesn’t stop me from thinking about how much it would suck if the wrong person were to find this as well, but oh well.

    • #31757
      What90
      Participant

      I’d like to know if I had a massive hole in my external network before it becomes “managed” by someone esle 😉

      You may want to contact a trusted 3rd party like the SANS Internet Storm Center and ask them to inform the company. If they can’t help they may be able to point you in the right direction on whom to report this to.

      http://isc.sans.org/contact.html

      Worth a shot and then at least you’ve tried.

    • #31758
      Anquilas
      Participant

      Tbh I would be glad if someone informed me about a vulnerability in my network :-/
      Beats having to find it out by being attacked.

      As long as you can inform him/her directly, and don’t go through his colleagues or superiors (like, mail to info@companyinquestion.com to tell about the issue), he won’t lose face and you will have helped him.

      At least, imo ofc. 🙂

      Hell, you can always make sure that he doesn’t know who you are so that he can’t sue you, I guess?

    • #31759
      bamed
      Participant

      The response you’d get would depend entirely on the admin.  Some people have a tendency to get defensive and will see you as a threat no matter what  your intentions.  If you’re really convicted that something needs addressed, you could try to approach the admin anonymously, but even then you put yourself at risk.  Even if you send an anonymous email that can not be traced back to you, the admin is likely to start digging through some logs and may find if he’s determined enough may still find something to track back to you.  Don’t forget, you’ve already accessed the vulnerable area of their website.
      Perhaps rather than an anonymous type saying, “I found login info at XYZ”, maybe an anonymous tip, “Have you seen this GoogleFoo? It could turn up something interesting on your site.”  Give him a chance to find it himself.

    • #31760
      Xen
      Participant

      Every coin has two sides. One set of people (like me) will argue that you should just ignore it. It’s not your network, it wasn’t your duty to find the vulnerability and you never know how they might react. They might choose to reward you or put you under the scanner. So why bother with unnecessary trouble?

      Others will say that reporting the vuln. is the right thing to do. Someone’s network is at danger and who knows what kind of damage they might suffer.

      I won’t deny that had it been my network I would be happy if someone reported me a vuln., but I can’t be sure about the other admins, can I?

      In the end, it’s your call. If you’re determined to help the company (and willing to take the risk) you can go ahead and report it. But like What90 said, better do it via a third part like SANS Internet storm center or US CERT.

    • #31761
      j0rDy
      Participant

      this is a hard situation. being a white hat that i am, i would prefer to notify the company. then again it also depends largely on your personal situation. How old are you? are you working in the IT security field? have any certificates that prove you know what you are doing? these things influence the outcome of the reply mail (from thanks and plz come consult for us to get lost and you will hear from our lawyers).

      another possibility: if you are not in it for the credits report it anonymously. just send an email and let them decide what to do with it…

      good luck and let us know what you decide (if possible).

    • #31762
      inf3kt1d
      Participant

      @j0rDy wrote:

      How old are you? are you working in the IT security field? have any certificates that prove you know what you are doing? these things influence the outcome of the reply mail (from thanks and plz come consult for us to get lost and you will hear from our lawyers).

      another possibility: if you are not in it for the credits report it anonymously. just send an email and let them decide what to do with it…

      good luck and let us know what you decide (if possible).

      Update::

      Had decided to do an anonymous email, but didn’t need to…
      Guess this person had discovered the problem, or someone else was nice enough to fill them in. To answer the questions above
      I am 25
      I am working as a SysEng (& IRT Member of the org)
      Added certs to my signature.
      I was hoping for the former. Don’t really care about the cred, but I did want them to ask for some help so that I could get some real world experience. The only experience I am getting now is from the IRT. Want to do as much as I can in the security spectrum so that I can decide where I would like to specialize.

      Thanks for all of the responses!

    • #31763
      Anquilas
      Participant

      Shame that you didn’t get a chance to report it, but good to hear that it’s fixed.

      Thanks for sharing it with the group!

Viewing 12 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?