.

Vulnerabiltiy Found... Need Advice

<<

inf3kt1d

User avatar

Newbie
Newbie

Posts: 21

Joined: Mon Nov 09, 2009 8:59 pm

Post Wed May 05, 2010 9:43 am

Vulnerabiltiy Found... Need Advice

Fellow EH's I need some advice. I was doing some GoogleFoo and found a site that had public access to a directory that held some shell scripts. I noticed one of them was named in a way that led me to believe that it may have some 'login' info in it. Sure enough it had the SA credentials for their MYSQL database. What is a good way to notify the site admin? I know the easy way is just to email them, but I know that some admins get a little upset when you discover a flaw in their system. I guess I really want to know:
1) Legally I didn't do anything wrong; am I correct? I didn't download any data and found it with a "simple" google search...
2) How do I approach the Admin in a way to let him/her know that I am trying to help them?
3) Do any of you have any experience with something like this?

Thanks in advance for any advice. I crawl around these forums often and appreciate all of the information that everyone provides. It has really helped me get from, "Yeah, I think security would be a cool thing to get into," to "Wow! I've come a long way in a few months! This stuff is awesome!!!"

-inf3KT1d
CEHv7
MCSA:Security
CompTIA Security+
CompTIA A+
<<

Dengar13

User avatar

Sr. Member
Sr. Member

Posts: 380

Joined: Tue Sep 20, 2005 8:43 am

Location: The Steel City

Post Wed May 05, 2010 9:49 am

Re: Vulnerabiltiy Found... Need Advice

Let that dog lie. 

1.  No you didn't, but delving further will push you into dangerous waters.

2.  You don't.

3.  Yes, this can be found easily enough and unsolicited advice can get you into trouble.

This is just my two cents and am sure others will chime in with their advice as well.
A+, Net+, MCP, CEH
MCSE: Security/Messaging
MCSA: Security/Messaging
Former U.S. Marine and damn proud of it!
<<

Xen

User avatar

Sr. Member
Sr. Member

Posts: 386

Joined: Tue Feb 03, 2009 3:59 am

Post Wed May 05, 2010 10:46 am

Re: Vulnerabiltiy Found... Need Advice

I agree with Dengar and would advice you to just ignore it. GHDB has a lot of such vulnerable sites, would you go about notifying each one of them?
<<

inf3kt1d

User avatar

Newbie
Newbie

Posts: 21

Joined: Mon Nov 09, 2009 8:59 pm

Post Wed May 05, 2010 12:58 pm

Re: Vulnerabiltiy Found... Need Advice

I guess not...  ;D
Just kinda feel bad if I know that this is open and someone completely FUBAR's their DB. I do however see how it's not my responsiblity to notify them if I don't want to. It's their responsibility to secure their stuff...

Thanks for the advice Dengar13 and Equix3n-

Just got a little excited because it is the first thing I've actually seen and not just read about; or simulated in my lab.
CEHv7
MCSA:Security
CompTIA Security+
CompTIA A+
<<

rattis

User avatar

Hero Member
Hero Member

Posts: 1172

Joined: Mon Jul 27, 2009 1:25 pm

Post Wed May 05, 2010 2:34 pm

Re: Vulnerabiltiy Found... Need Advice

I'm of 2 minds of this.

If it was my network, I'd want someone to tell me so I can get it fixed. Usually by passing it back to the developers..

On the other hand, I'm sure the company would be interested in putting you under a microscope with lawyers at the eye piece since you were doing reconnaissance against the network.

Know what I mean?
OSWP, Sec+
<<

inf3kt1d

User avatar

Newbie
Newbie

Posts: 21

Joined: Mon Nov 09, 2009 8:59 pm

Post Wed May 05, 2010 2:38 pm

Re: Vulnerabiltiy Found... Need Advice

Yeah. That's what I was the most afraid of. I don't have anything to hide, but I also don't want that kind of hassle. I also know the security policiy of the place I work at, and I wouldn't want to be me microscoped end.

Doesn't stop me from thinking about how much it would suck if the wrong person were to find this as well, but oh well.
CEHv7
MCSA:Security
CompTIA Security+
CompTIA A+
<<

What90

Full Member
Full Member

Posts: 120

Joined: Sat Jun 09, 2007 2:23 am

Location: Syndey, Australia

Post Wed May 05, 2010 10:31 pm

Re: Vulnerabiltiy Found... Need Advice

I'd like to know if I had a massive hole in my external network before it becomes "managed" by someone esle ;-)

You may want to contact a trusted 3rd party like the SANS Internet Storm Center and ask them to inform the company. If they can't help they may be able to point you in the right direction on whom to report this to.

http://isc.sans.org/contact.html

Worth a shot and then at least you've tried.
<<

Anquilas

User avatar

Full Member
Full Member

Posts: 169

Joined: Fri Mar 19, 2010 7:50 am

Location: Belgium

Post Thu May 06, 2010 3:58 am

Re: Vulnerabiltiy Found... Need Advice

Tbh I would be glad if someone informed me about a vulnerability in my network :-/
Beats having to find it out by being attacked.

As long as you can inform him/her directly, and don't go through his colleagues or superiors (like, mail to info@companyinquestion.com to tell about the issue), he won't lose face and you will have helped him.

At least, imo ofc. :)

Hell, you can always make sure that he doesn't know who you are so that he can't sue you, I guess?
Twitter: https://twitter.com/dietervds
Blog: https://synquell.wordpress.com (not much there yet)

The beginning of knowledge is the discovery of something we do not understand.
<<

bamed

Newbie
Newbie

Posts: 48

Joined: Thu Mar 19, 2009 7:05 pm

Location: Joplin, MO

Post Thu May 06, 2010 8:27 am

Re: Vulnerabiltiy Found... Need Advice

The response you'd get would depend entirely on the admin.  Some people have a tendency to get defensive and will see you as a threat no matter what  your intentions.  If you're really convicted that something needs addressed, you could try to approach the admin anonymously, but even then you put yourself at risk.  Even if you send an anonymous email that can not be traced back to you, the admin is likely to start digging through some logs and may find if he's determined enough may still find something to track back to you.  Don't forget, you've already accessed the vulnerable area of their website.
Perhaps rather than an anonymous type saying, "I found login info at XYZ", maybe an anonymous tip, "Have you seen this GoogleFoo? It could turn up something interesting on your site."  Give him a chance to find it himself.
chown -R bamed ./base
<<

Xen

User avatar

Sr. Member
Sr. Member

Posts: 386

Joined: Tue Feb 03, 2009 3:59 am

Post Thu May 06, 2010 9:42 am

Re: Vulnerabiltiy Found... Need Advice

Every coin has two sides. One set of people (like me) will argue that you should just ignore it. It's not your network, it wasn't your duty to find the vulnerability and you never know how they might react. They might choose to reward you or put you under the scanner. So why bother with unnecessary trouble?

Others will say that reporting the vuln. is the right thing to do. Someone's network is at danger and who knows what kind of damage they might suffer.

I won't deny that had it been my network I would be happy if someone reported me a vuln., but I can't be sure about the other admins, can I?

In the end, it's your call. If you're determined to help the company (and willing to take the risk) you can go ahead and report it. But like What90 said, better do it via a third part like SANS Internet storm center or US CERT.
<<

j0rDy

User avatar

Hero Member
Hero Member

Posts: 591

Joined: Tue Feb 23, 2010 4:55 am

Location: Netherlands

Post Sun May 09, 2010 3:33 am

Re: Vulnerabiltiy Found... Need Advice

this is a hard situation. being a white hat that i am, i would prefer to notify the company. then again it also depends largely on your personal situation. How old are you? are you working in the IT security field? have any certificates that prove you know what you are doing? these things influence the outcome of the reply mail (from thanks and plz come consult for us to get lost and you will hear from our lawyers).

another possibility: if you are not in it for the credits report it anonymously. just send an email and let them decide what to do with it...

good luck and let us know what you decide (if possible).
CISSP, CEH, ECSA, OSCP, OSWP

earning my stripes appears to be a road i must travel alone...with a little help of EH.net
<<

inf3kt1d

User avatar

Newbie
Newbie

Posts: 21

Joined: Mon Nov 09, 2009 8:59 pm

Post Sun May 09, 2010 6:39 am

Re: Vulnerabiltiy Found... Need Advice

j0rDy wrote: How old are you? are you working in the IT security field? have any certificates that prove you know what you are doing? these things influence the outcome of the reply mail (from thanks and plz come consult for us to get lost and you will hear from our lawyers).

another possibility: if you are not in it for the credits report it anonymously. just send an email and let them decide what to do with it...

good luck and let us know what you decide (if possible).


Update::

Had decided to do an anonymous email, but didn't need to...
Guess this person had discovered the problem, or someone else was nice enough to fill them in. To answer the questions above
I am 25
I am working as a SysEng (& IRT Member of the org)
Added certs to my signature.
I was hoping for the former. Don't really care about the cred, but I did want them to ask for some help so that I could get some real world experience. The only experience I am getting now is from the IRT. Want to do as much as I can in the security spectrum so that I can decide where I would like to specialize.

Thanks for all of the responses!
CEHv7
MCSA:Security
CompTIA Security+
CompTIA A+
<<

Anquilas

User avatar

Full Member
Full Member

Posts: 169

Joined: Fri Mar 19, 2010 7:50 am

Location: Belgium

Post Sun May 09, 2010 2:02 pm

Re: Vulnerabiltiy Found... Need Advice

Shame that you didn't get a chance to report it, but good to hear that it's fixed.

Thanks for sharing it with the group!
Twitter: https://twitter.com/dietervds
Blog: https://synquell.wordpress.com (not much there yet)

The beginning of knowledge is the discovery of something we do not understand.

Return to Other

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software