Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Who's got it? Who's giving it away? How to protect your privacy and steal it from other people. For intellectual privacy, personal privacy, and blackhats alike... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Criminal Records and other things at a site
Posted by: FR3DC3RV
Date: February 22, 2007 12:45PM

Recently i've found a website that has a list of people,mail,faxes,phones,criminal records, sexual offenders,etc.
It's http://Gov-Records.com
Normally you would have to pay from 9.95$(min) to 35.95$(max), however there is an SQL Injection at the Login.:)
(How can such a thing happen in a site of this kind?But there is more!!)
Username: ' OR ''='
Password: ' OR ''='
(Pretty simple,They don't hide the SQL errors,so i start to doubt if they know what SQL injection is)
After your login, you can do searchs...that are vulnerable to XSS:)
<script>alert('XSS')</script>
(Do they know what XSS is?Maybe not!!)
I didn't spent too long studying this site but i guess that there are other bugs on it.

Options: ReplyQuote
Re: Criminal Records and other things at a site
Posted by: rsnake
Date: February 22, 2007 11:01PM

Sounds bad, but this sort of stuff really belongs in the full-disclosure section of the site where other people looking for this stuff are likely to search.

Nice find though. Did you email the admins? Seems like a huge breach.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Criminal Records and other things at a site
Posted by: FR3DC3RV
Date: February 23, 2007 12:01PM

Yes, i have already emailed the admin. Let's see how long will they take to fix the bugs.

Now on, i will post stuff like that on the Full Disclosure.

Options: ReplyQuote
Re: Criminal Records and other things at a site
Posted by: iota
Date: February 24, 2007 09:51AM

Haven't still patched!

Options: ReplyQuote
Re: Criminal Records and other things at a site
Posted by: iota
Date: February 25, 2007 04:52AM

Patched!

Options: ReplyQuote
Re: Criminal Records and other things at a site
Posted by: FR3DC3RV
Date: February 25, 2007 05:19AM

I don't think so, iota.
I think that you've wrongly entered the SQL injection because i've tryed and i managed to enter.

It's sad but they haven't patched.If they take too long i will start spamming them with mails alerting to the bug.

Options: ReplyQuote
Re: Criminal Records and other things at a site
Date: February 25, 2007 07:48PM

Shouldn't have even bothered. The site is so useless it's a scam for the money they charge. All they do is link you to other services, and who the hell cites Ebaumsworld for anything other than content theft anyway?


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Options: ReplyQuote
Re: Criminal Records and other things at a site
Date: March 02, 2007 05:38PM

By the way even if they did (or do) patch this you can simply visit the "/members" directory as there's no authentication needed.


Awesome AnDrEw - That's The Sound Of Your Brain Crackin'
http://www.awesomeandrew.net/

Options: ReplyQuote
Re: Criminal Records and other things at a site
Posted by: iota
Date: March 04, 2007 07:21AM

yeah.
even if they are informed of such flaws, they ignore it.
it's time to do something. uh?

Options: ReplyQuote
Re: Criminal Records and other things at a site
Posted by: FR3DC3RV
Date: March 04, 2007 11:25AM

What do you suggest,iota?

-------------------------------
http://fr3dc3rv.blogspot.com



Edited 1 time(s). Last edit at 03/15/2007 12:08PM by FR3DC3RV.

Options: ReplyQuote
Re: Criminal Records and other things at a site
Posted by: the_taoist
Date: April 04, 2007 11:24AM

Can't ya just fix for'em, and send them a by the minute bill.
I'm a noob or I would; for giggles.

Options: ReplyQuote
Re: Criminal Records and other things at a site
Posted by: FR3DC3RV
Date: April 07, 2007 05:06AM

@the_taoist
No i can't. It would be nice but i am not the webmaster from that company.

-------------------------------
http://fr3dc3rv.blogspot.com

Options: ReplyQuote
Re: Criminal Records and other things at a site
Posted by: FR3DC3RV
Date: May 17, 2007 12:18PM

It looks like both the sql injection and the /memebers flaws are fixed.

-------------------------------
http://fr3dc3rv.blogspot.com

Options: ReplyQuote


Sorry, only registered users may post in this forum.