View news

The Belgian royal family hasn't fully grasped IT security just yet
Posted by rhican - Wednesday January 4 @ 14:44 First of all, Happy New year everyone :) Now lets start the new year with some funny stuff: We do discover small mistakes in websites now and again. The classical XSS bug in a search field or another sql injection in a parameter. Often because we come across it while surfing or see a link in the chat channel, and just test a few well known bugs. Most of the time we choose to email this to the webmaster, and sometimes we don't even bother because it would be a waste of the webmaster's time. However we recently came across a bug that we just wanted to share with you all, because of its 'humoristic nature'. It concerns the website of the Belgian royal family (www.monarchie.be). First of all we want to make a few things clear. We publish this to attract more attention to IT security as a whole, and because of its entertainment value. This isn't a Belgium vs The Netherlands competition. If for no other reason than that the author of this text is Belgian. Second of all, we don't have any political agenda against the monarchy (Or anything related). It's just that the royals are thought to have enough money to create a solid secure website (as far as that isn't a contradiction). This is especially true in this case because the often dreaded "Who would ever want to do that anyways"-line isn't applicable in this case at all. Alright by now you are probably all wondering what was up with this site anyways, are we barking up the XSS tree again? No. SQL injection? No. This time it was the famous weak password. A login to the site's Admin section found at www.monarchie.be/admin was: Code: `test/test` Discovered: 31/12/2005 Notified webmaster: 1/1/2006 Login stopped working: 3/1/2006 Even though we didn't recieve a reply, which is quite rude :), we do wish everybody a happy new year, and lets all stop using test/test as a login ;)

Last edited on Wednesday January 11 @ 17:19 by rhican

The Belgian royal family hasn't fully grasped IT security just yet

Posted by rhican - Wednesday January 4 @ 14:44

First of all, Happy New year everyone :)

Now lets start the new year with some funny stuff:
We do discover small mistakes in websites now and again. The classical XSS bug in a search field or another sql injection in a parameter. Often because we come across it while surfing or see a link in the chat channel, and just test a few well known bugs. Most of the time we choose to email this to the webmaster, and sometimes we don't even bother because it would be a waste of the webmaster's time. However we recently came across a bug that we just wanted to share with you all, because of its 'humoristic nature'.

It concerns the website of the Belgian royal family (www.monarchie.be). First of all we want to make a few things clear. We publish this to attract more attention to IT security as a whole, and because of its entertainment value. This isn't a Belgium vs The Netherlands competition. If for no other reason than that the author of this text is Belgian. Second of all, we don't have any political agenda against the monarchy (Or anything related). It's just that the royals are thought to have enough money to create a solid secure website (as far as that isn't a contradiction). This is especially true in this case because the often dreaded "Who would ever want to do that anyways"-line isn't applicable in this case at all.

Alright by now you are probably all wondering what was up with this site anyways, are we barking up the XSS tree again? No. SQL injection? No. This time it was the famous weak password. A login to the site's Admin section found at www.monarchie.be/admin was:

Code:
test/test

Discovered: 31/12/2005
Notified webmaster: 1/1/2006
Login stopped working: 3/1/2006

Even though we didn't recieve a reply, which is quite rude :), we do wish everybody a happy new year, and lets all stop using test/test as a login ;)

» Comments

ilias on 4 January 2006 15:00

OMG, ROFLMAO.
weak, weak, weak, weak!
moeha, nice job :-).

Kalkran on 4 January 2006 17:26

Great job rhican... :) As usual :P

Very funny bug lol :P

Jan-Pieter on 5 January 2006 13:18

Lol...
Btw Rhican, how did you get the idea to use test/test as user/pass ? Just coincidence? =)
Funny one :D

rhican on 5 January 2006 17:05

I usually try a 2 or 3 combinations.

In this case I (would have) tried:
admin/admin
test/test
username/username (here that would be Monarchie-7801)

Most of the time I stop there, however if you would really want to continue, I would try combinations relating the site. Here that would be some names of the Kings/Queen/Prinses ...

However I usually don't expect to guess the password, I am intrested in how they handle the error. Wether or not there is information on the error page I could use. (And sometimes they even don't write the .htaccess properly allowing you to access the page anyway)

rippawallet on 9 January 2006 17:31

hehe, thas funny

cracker-net on 17 January 2006 22:22

shame on that 'webmaster' :)
what i like is a variable include via $_GET :p
?p=.htaccess
you'd be surprised how many times that works.

oh yes, i learnt that from the challenge named "nice include system" :p

DFyNt2U on 22 January 2006 19:41

Actually, the same fault once occured on the network of my old school (nope, not kicked, I got the degree already). Some ... didn't remove 'testuser/testuser' and since novel login shows the entire userlist with <tab> (at least that one did). I just had to try (about 3 years ago :P ). not only did the pass offer login, but also facilitated full access to the homedirectories of all teachers as well global normally-'readonly' area's. Furtunately the extra access for the account was removed not too long after.

» Add a comment

Login if you want to comment on this item.

Net-Force.nl

Submenu

Login

Online members

Poll

View news

» Comments

» Add a comment

Guests:	3
Members:	0