Wednesday, April 11, 2007

Bad idea LII!

The Cornell Legal Information Institute runs a web service with, among other things, law information and court opinions.

It also runs a website begging to be hacked, as when you cause one of its forms to have its guts fall out, it spills some interesting guts:
If you view the full picture, you happen to notice that it shows the EXACT perl code being executed. Most of the time, when a process fails, it will fail at the point of vulnerability, so that kind of thing gives the hacker exactly what they want.

Their raw error is even more helpful. It's like they attached an "ls" of their directory free of charge.

METAR KRDU 110351Z 18004KT 10SM FEW100 BKN150 BKN200 11/M02 A3007 RMK SLP182

Labels:

2 Comments:

At 9:07 AM, Blogger Spider said...

LOL. now that is amusing.

I tried searching for everything twice, but it only needs it once. ;)

I've apparently got a different bug/case then you do. It was on the first try.. they seriously needed to have done some case testing before they let it go live.

That perl code is rather amusing.

Exposes lots of variables/code here too (at least its not php):

____________________________http://www.law.cornell.edu/search/autohandler

^being dificult for a reason^

Oh.. SHIII! they've got some problems.

Should have been here.

Speaking of exposed information, there’s a nice rough view of the table structure in their database. I hope they are scrubbing for SQL injection attempts... ! O_O

(For their sake, I hope the php code is ok. 'Scriptkiddies' might eat this up.)

If you feel obligated you might want to warn them about it. Actually, sending them a patch would even be possible at this rate. >_< Might not be so good to be exposing the info the public so soon... unless the 'time period' is already up. ^_^;

 
At 11:54 PM, Blogger weather boy said...

It gets better. Try entering a space in the search query form. Voila! You've just found a new way to blow up their form:

error: SWISH::API=SCALAR(0x552c7b2940) : at /usr/local/lii/lib/SwishResultSet.pm line 292.

context: ...
288:
289: sub reportError{
290: my($self, $apperr) = @_;
291: my $swh = SWISH::API -> new($self -> {'dblist'});
292: die $apperr . ' : ' . $swh -> ErrorString();
293: }
294:
295:
296: ## Validation and testing routines
...

code stack: /usr/local/lii/lib/SwishResultSet.pm:292
/usr/local/lii/lib/SwishResultSet.pm:75
/var/www/html/search/autohandler:295
/var/www/html/search/autohandler:118

It's like they don't expect people to pass weird input to their scripts. A number of special characters do this.

So the only thing that's really left to do is to find a way to get them echo down their script in plain text to really compromise their security. I'm sure someone probably could do this....

I'll probably send them an email telling them that they have "serious" security vulnerabilities that could potentially be exploited. The site is high traffic enough that it would cause a significant disruption if it were hacked.

METAR KRDU 200251Z 36003KT 10SM OVC050 11/06 A3000 RMK SLP161 30001

 

Post a Comment

<< Home