Ok it sounds like a sensational topic, but it’s actually true, it happened quite some time back (January), but I sat on it for some time to give them a chance to fix it.
Even though I believe in full disclosure, we have to be responsible to vendors and organisations too.
He clicked on the link from a web based e-mail system and came to read the article, in doing so he passed a referal string to my site (This is a string holding the information of where you just came from, so if you came from a google search on donkeys I’ll get the referal string http://www.google.com.my/search?hl=en&q=donkeys&meta=).
So in the referal string I got from the web based e-mail page, contained the session ID for the Editor who was reading his mail, this session ID wasn’t cookie based, or machine based, it was just a Session ID, which enabled me to log straight into the Editors e-mail..
The referal string I got was something like this:http://strmal.thestar.com.my/Xf3969c9b9d9b929c9a9e6012d8ab/rmail.41444.cgi?&mbx=Main
Xf3969c9b9d9b929c9a9e6012d8ab in this case is the session ID, simply by entering this link into my browser I could access the editors mail account, I tested and I could change everything except the password (as I don’t know the existing password) but by sending mail from this account I could probably social engineer the password to be changed.
I could read all of the mail in the inbox and other folders
And change any settings I want..
I ever gave them a more accurate signature:
If everyone is using this webmail system I could easily hijack their accounts too, this would be done by sending a HTML mail with a simple image imbedded inside, hosted on my domain, when the mail loaded it would load the image remotely (which your webmail allows I checked) and I would have the referer URL again in my weblogs with the relevant session ID.
Again I could just paste this into my browser and access the account of anyone using this webmail software.
It shows the current state of Information (in)Security in Malaysia.
I did of course e-mail them as soon as I found at and told them how to fix it.
This is just for your information.
The Global Malaysian Network is an initiative by The Star Malaysia (www.thestar.com.my) to facilitate networking and to tap into the resources, knowledge, skills, investment and contacts that Malaysians can offer to other Malaysians wherever they are in the world. The directory requires members to submit their personal details including their name, marital status, postal address, contact details, professional/occupation information and even educational background details.
Due to bad programming practices and unchecked variables there are several SQL injection vulnerabilities in the web application that powers the GM Directory. By manipulating the input strings a malicious attacker could potentially compromise the security of the database server and disclose any content within the database including private and sensitive information of the Directory members.
Owned by my friends over at Hack in the Box yesterday.
So The Star, I reckon you need to buck up your ideas when it comes to Infosec 🙂