[Owasp-singapore] [Fwd: Re: Leakage of private information of students]

Wong Onn Chee ocwong at usa.net
Sun Jul 19 23:35:14 EDT 2009


FYI.

Details and sanitised screenshots are uploaded to
http://www.infothatmatter.org/forum/topics/name-nric-sex-school-and


On 07/15/2009 12:05 AM, Wong Onn Chee wrote:
> For once, just want to let all of you see what the core team of
> organisers are doing silently.
>
> In future, we won't be sending such email correspondence to the group.
> We will publish our success cases on http://www.infothatmatter.org
> once the leaks are closed.
>
> -------- Original Message --------
> Subject: 	Re: Leakage of private information of students
> Date: 	Tue, 14 Jul 2009 23:58:34 +0800
> From: 	Wong Onn Chee <ocwong at usa.net>
> To: 	Pok Vic Sent <XXXX at litespeed.com.sg>
>
>
>
> Hi Vic Sent,
>
> On behalf of the SSMG and the general public, I thank you for your
> prompt action for closing the information leakage.
> Our subsequent checks have shown that the offending URL has been disabled.
> Appreciate your cooperation to ensure appropriate controls are put in
> place before access is given again.
> Thank you for your co-operation.
>
> Regards
> Onn Chee
> SSMG Organizer
>
> On 07/12/2009 11:46 PM, Pok Vic Sent wrote:
>> Dear Onn Chee,
>>
>> Thank you for your feedback. We will address this security issue and
>> evaluate a change in this functionality that was requested by our
>> schools.
>>
>> best regards
>> -------------------------------
>> Vic Sent POK
>> Group Chief Technology Officer
>> Litespeed Education
>>
>> -------------------------------
>>
>>
>> Wong Onn Chee wrote:
>>> Hi Tech Support,
>>>
>>> On behalf of the Singapore Security Meetup Group (SSMG -
>>> http://security.meetup.com/77), we will like to bring to your attention
>>> that the following URL on Litespeed web server allows the Name, NRIC,
>>> Gender, School and Timetable of minors/students to be exposed to the
>>> public without any access control.
>>>
>>> The offending URL is <URL removed>
>>>
>>> A sample of what we detected can be found at <URL removed>
>>>
>>> Given the increased usage of e-learning services due to the recent H1N1
>>> incidents, we appreciate that your company takes due care to protect the
>>> private information of students while providing valuable services to
>>> your customers.
>>>
>>> We hope to see the offending URL, together with others which we may not
>>> have detected, can be better secured asap.
>>> Feel free to drop me a note or call if you have any further queries.
>>>
>>> Regards
>>> Onn Chee
>>> SSMG Organizer
>>>
>>>
>>>
>>>   
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/mailman/private/owasp-singapore/attachments/20090720/b5869d99/attachment.html 


More information about the Owasp-singapore mailing list