My local news paper has started printing a "Busted" section, which I really enjoy, that shows the photos of recently busted people from in and around the area that I live. At the bottom of the small print is an URL that, when accessed, will take you to the county sheriff's web site where you can request extra patrols for your neighbor hood, tips on how to start a neighbor watch, and most importantly Inmate Information such as first_name, last_name, charges, bond, cell No. and photo.
When accessing inmate information you have the choice of "Search by Name", "Search by Date," or click one of the letters that span the top of the site of which clicking on one of these letters lists every inmate who's last name corresponds to the letter, no big deal. What is interesting is that choosing one of the other options will present to you a text input box(s) that will execute (server side) just about anything you ask it to if you ask really nice and say SIR and, on a side note, calling it OFFICER helps a lot too and get's it motivated even though it's just a turn-key and doesn't have a gun.... Yet.
Now, when I said execute anything, I understand that I left the "execute" possibilities wide open and I left it wide open on purpose. There is very little that will not be executed by the server including SQL command's and ALL <script></script>'s. <--- if the forum sanitized that it's suppost ot be "script /script" with tags. The server also has 17 open ports so I wonder if it has a firewall at all.
I'm sure about now your thinking "A state/county ran site that seems like it wants to be hacked has got to be a trap." Remember that I live where people are so lazy that instead of saying "Good Morning" they just say "mornin'" and never even adjust their eyes on you so it's no wonder that cyber security could be less than standard and this is really not a state/county ran site, more like some good'ole boys just trying to please the county's demanding public as the site is only accessible as an IP on a non-default port (8088) and No DN.
So, of course, I report it.
Ring, Ring.... "911 whats your emergency?" ... "Ummm, ALL YOUR BASES ARE BELONG TO US!!!" ... click
No, No, really I called the sheriff's office and spoke to a completely incompetent "officer" that, after explaining the situation, replied with "what is it that you want me to do sir?" ... "I dont know, maybe tell some'who or at least connect me with some'who that maintains the site that is connected to your booking database that is "vulnerable," I mean, that is in trouble and could cause the shit to hit the fan. I dunno if it's right, just to me that is, being able to change why Bubba is in jail again and, furthermore, possibly release him if I chose . Whatta you think? I could be wrong. I guess." ... "No one'ssss is in the office sir, you'll hav'ffa call baaack on muuuunday." "OK" ... click.
Ok, so I begin to rethink my position in all of this and to make sure all my information is in order I go back to the small printed URL that I found on the "BUSTED" page. As it turnes out and no surprise, I'm wrong about (at least) one thing. The "******* County Sheriff's Office" website is not affiliated with the site that is hosting the inmate information. WTF?
Even though the "non affiliated site" is embedded as a link in the county's site they have a disclaimer stating that the content is not guaranteed and is not affiliated with the *.. County's Site in the HTML as a comment (as of several days ago they have a pop up warning stating that the site is not affiliated. Why embed the link to a point that if you didnt look at the status bar and/or the URL address in the address bar you would have no idea that you left the site... down to the same logo's, headers, footers and boarders and duplicate /images dir, even the ones that didn't get used? ... I dunno.
UPDATE: it's been a month since the above happened and nothing has changed after sending a very detailed e-mail to the sites admin (actually, The company that maintains the sheriffs's site) explaining and giving "Cut and Paste" examples and explaining how easy it would be to correct the problems. I did get an e-mail back from the admin stating that he/she would look into it. A month later, nothing has changed.
So, Should I continue "harr..ass" the admin about the security and the fact that user input is not being sanitized at all or should I just walk away from the whole situation. Furthermore, should I release this into the wild? Would it be immoral and/or illegal? It's just a matter of time before someone who knows how to and has the balls to DROP TABLE or worse stumbles across this site.