RSS

Websmart addresses SQL Injection Vulnerability

Thu, 5th December 2013, 17:17

Sam Bowne has been teaching computer networking and security classes at City College of San Francisco since 2000. Browne, along with his students, have been identifying and notifying administrators of vulnerable websites for several years now. The high-profile companies, universities, and government agencies contacted about vulnerabilities were polite and thankful. Browne, along with his students have also contacted hundreds of small businesses to warn them of SQL injection vulnerabilities, and although most have ignored the notifications, all respondents were friendly and grateful.

Despite the fact many companies pay bounties for receiving similar types of information, it would appear that one particular tech company has taken great exception to Sam Browne and his horde of websurfing vigilantes shining a light on a SQL injection vulnerability. 

While perusing a pastebin dump of SQLi-vulnerable websites, Sam Browne noted the "Web Site by Websmart Inc." in the footer of one page and wondered if other sites from this same developer were vulnerable. Finding more, Browne sent notifications to the administrators of eleven vulnerable sites, and to the developer… Websmart

 

The email that incensed Websmart

Sent on Saturday, Oct. 6, 2013

To: info@websmartconsulting.com

Re: Insecurity of Websites from Websmart, Inc.

Hello:

I am Sam Bowne, an instructor in Computer Networking and Information Technology at City College San Francisco.

I am writing this to inform Websmart, Inc. and several of its customers, of a critical security vulnerability in many of Websmart's websites. In particular, all these sites are vulnerable to SQL injection: (editor note: I’ve redacted the website email addresses and url’s.. not because I should rather it keeps my post shorter!)

I tested 14 Websmart websites, and 11 of them were vulnerable. Google found over 100,000 pages made by Websmart, Inc., so this is an enormous problem affecting many businesses and customers. These are all SQL Injection vulnerabilities, which make it trivial for any amateur hacker to steal your data, and often allow a hacker complete control of your servers.

Because of the number of websites affected, I don't think I can ignore this. This is by far the most important security problem I have ever discovered. So, please reply to this message and let me know what you intend to do. If I get no reply by October 12, 2013, I will pursue more drastic remedies, such as contacting news media.

The technical details of the problem, suggested fixes, and the method I used to find it are in the Appendix. Please contact me to let me know what you intend to do about this. If you have any questions, I would be happy to address them.
Thank you,
Sam Bowne
sbowne@ccsf.edu
Website: samsclass.info

------------------

Browne also included an APPENDIX to the email detailing exactly why he was examining Websmart websites, his initial test results, as well as potential solutions to alleviate the exploit vulnerability. Hostjury encourages readers to visit Sam Bowne webpage to read in greater details the contents of this appendix as well as other details we have excluded for the sake of brevity. 

 

Owen Smart Responds

Mr Bowne

I appreciate your observations and information, and we will look into this. Thank you for bringing this to our attention. Of course this is something we are concerned about.

I do not appreciate you taking the liberty of contacting my clients directly. This is highly unprofessional. I do not appreciate your 'ultimatum" - nor your scare tactics that no doubt will have an impact our customers. I am very tempted to notify your superiors of this misconduct.... you have no right or authority here. You could very well damage my business with this . If that happens you will be hearing from our lawyer.

Any further correspondence on this matter may be directed to me and me alone. Like I said, I appreciate your information.... I really do, but contacting my customers directly is way out of line and I believe well outside of your mandate with your employer.

Thank you.
Owen Smart
President Websmart Inc.

After some soul searching that included contacting media outlets and a security firm, Sam Browne responded to Owen Smart

Mr. Smart:

I'm happy that you responded so quickly to my vulnerability report, and I'm sorry if I came across as threatening in any way -- it was not my intention. However, I think we got off on the wrong foot and I'd like to move forward with what we both want, which is to get these issues addressed as quickly as possible.

As far as informing your customers, I felt it was reasonable, given the fact that they have active vulnerabilities that could be impacting their own businesses and were in more direct risk of attack than your company.

Let's move forward cooperatively and work to get these issues resolved. As I mentioned, I'm happy to answer any questions you have about the vulnerabilities, and I'd be willing to test the fixes if that would help.

Looking forward to working with you cooperatively.

--Sam 

 

Websmart gets nasty

Owen Smart's Second Response to Sam Bowne... and his employer City College of San Francisco 

Dear Mr Bowne

Someone has been emailing my clients and myself, essentially interfering in my business - claiming to be you. Please see the email below. I want to confirm whether this is legitimate and if this is really coming from you Sam Bowne. As this has been highly unprofessional, I sincerely hope it is just a bad prank.
Please advise.
Thank you
Owen R. Smart
President, Websmart Inc. 

 

Owen Smart's Email to a CCSF Department Chair

From: Owen Smart Date: Thu, Oct 10, 2013
Subject: Sam Bowne
To: REDACTED
Hello REDACTED

I understand you are the Department Chair for COMPUTER NETWORKING AND INFORMATION TECHNOLOGY DEPARTMENT at City College of San Francisco? Would you be the supervisor or authority for Mr. Sam Bowne?
I need to speak/email someone at the college to file a complaint regarding Mr. Bowne's conduct as it pertains to our business, since he is using the college's name as part of his activities.

Please advise.
Thank you
Owen R. Smart President, Websmart Inc.

 

So what's next

Rather than address the vulnerabilities raised by Sam Bowne, Websmart president Owen Smart choose instead to shoot the messenger… or at least that is the presumption conjured up by these email exchanges.

Browne’s first email disclosure did have some effect--three of the eleven sites were fixed within a few days, although the remaining eight were still vulnerable as of Oct 15, 2013, which is consistent with Browne’s previous experience--a small fraction of sites notified about SQL injections do fix them, and very few of them reply to the notice.

Some readers may agree with Owen Smart that contacting Websmart's clients was unacceptable. That Websmart should have been given the opportunity to address the vulnerabilities. A valid point except as Sam Bowne establishes, this vulnerability was not new at all! The whole matter was published in 2010.

From: http://1337day.com/download/13244
Material's title: Websmart XSS/SQL Injection Vulnerability
Category: web applications
Platform: php

========================================
Websmart XSS/SQL Injection Vulnerability
========================================

__ __
.----..--.--.| |--..-----..----.| |.-----..-----.
| __|| | || _ || -__|| _|| || _ || _ |
|____||___ ||_____||_____||__| |__||_____||___ |
|_____| |_____|

####################################################
# websmart SQL Injection Vulnerability [ Multiple Vulnerabilities ]

####################################################
# Vendor: http://www.websmartconsulting.com/
# Discovered by : cyberlog
# Site : Sekuritionline.net
# Channel : #SekuritiOnline [ Now Just My Bot ]

# Dork : " Web Site by Websmart Inc Or Visit http://www.websmartconsulting.com/portfolio.php "

# Exploit : [site]/page.php?PageID= [SQL Injection]
[site]/news_item.php?NewsID= [SQL Injection]
[site]/display.php?PhotoID= [SQL Injection]
[site]/portfolio_profile.php?ClientID= [SQL Injection]
[site]/news_item.php?NewsID= [SQL Injection]
[site]/photogallery_full.php?ImageTypeID= [SQL Injection]

[site]/gallery_album.php?category= [SQL Injection]

# XSS/HTML Injection : [site]/page.php?PageID=XSS

# Thanks : r0073r,adhietslank, k1n9k0ng, cr4wl3r,cah_gemblunkz,
jayoes,thesims,setiawan,irvian,EA_Angel,BlueSpy,SoEy,A-technique,Jantap,KiLL,blindboy,sukam,
SarifJedul,wiro gendeng,Letjen,ridho_bugs,Ryan Kabrutz,Mathews,aurel666,Inoef,dbanie,

# special to Mama Sri Rahayu, Member& Staff Sekuritonline, C0li a.k.a antisecurity [ pinjem script perl-na ] ,
# Hiroyuki Doni thanks to create New design SO T-shirt P
# Inj3ct0r Now Brothers with Sekuritionline

####################################################
# Demo:
# http://localhost/display.php?PhotoID=[SQL Injection]
# http://localhost/display.php?PhotoID=cyberlog bukan hacker
####################################################

We never die !!!! indonesian Underground Community
!!!!! anjing buat oknum Pemerintah yang suka nilep uang rakyat !!!
!!!!! anjing juga buat admin site indon3sia yang merasa sok h3bat, dikasih tahu ada hole malah nyolot !!!!!

KacrUt I h@te U [ jika kau tidak mau aku katakan LOv3 ]
Give me NOCAN Brothers
am nt hacker just Lik3 Syst3m S3curity

.-----..-----.| |--..--.--..----.|__|| |_ |__|.-----..-----.| ||__|.-----..-----.
|__ --|| -__|| < | | || _|| || _|| || _ || || || || || -__|
|_____||_____||__|__||_____||__| |__||____||__||_____||__|__||__||__||__|__||_____|

# 1337day.com @ http://1337day.com/

 

Conclusion.. well not really.

Sam Bowne has concluded that the developer doesn't care that his products are defective, and neither does his customers. And since, apparently, none of them has gotten hacked yet, they will continue to blissfully imagine that security is not important. Bowne also concluded that the press doesn't care. This is not a new, sexy exploit; just an old stupid problem no one has bothered to clean up yet, like gum on the sidewalk.

HostJury respectfully disagrees with Sam’s conclusion. Browne’s first email disclosure did have some effect--three of the eleven sites were fixed within a few days. Considering Websmart business model, (not the one that ignores threats and vulnerabilities rather the other one managing websites on a client's behalf), there is no way to ascertain if those original emails sent by Browne actually went to clients, or just forwarded to the administrator of a website (aka Websmart), or better yet, the spam folder!

HostJury has contacted Owen R. Smart President, Websmart Inc. for comment and will update the post accordingly...

 

Owen Smart Responds to HostJury 

Hi David!

Thank you for your note and I appreciate you asking.

To be perfectly honest with you, I have been personally horrified with Mr Browne's aggressive and arrogant conduct. I did thank him for pointing out the security issues, and yes we are looking at them and dealing with them as we can. As I had indicated in my email to him, it is of concern and is being looked after.

But instead of being okay with that and moving on Mr Browne has continued to aggressively threaten myself and my clients. I wish to point out that Websmart does not work for Mister Browne and I am not accountable to him.

Mr Browne's threats and ultimatums to myself and then to my clients is, well, threatening and I don't like being threatened. I do not have an issue with him pointing out the vulnerabilities, I do have an issue with his conduct. I had attempted to contact his supervisor by phone and by email to complain about this conduct, but I never received a response from the college.

Mr Browne has posted confidential emails from me,(one he never responded to and I have not heard from him again) without my permission, not to mention an email to his supervisor which was not sent to him, but somehow ended up on his website. Those are both serious breaches of privacy.

Two reporters ignored his requests and rightly so, and a third questioned his ethics and I agree. Coming from a media background myself, I would have told him the same thing.

For someone of his standing and credentials to behave like this is disturbing and using his position to give himself credibility, and that institution allowing such conduct, is disturbing to me, and an abuse of his position at the college. He has emailed my clients again and essentially lied to them.

I believe Mr. Browne is very passionate about security, and that's great - we need people like that - we are all passionate about something. However this approach is just plain wrong.

Mr Browne claims on his page that we have built 100 000 websites and he sees my company as some big threat. He is under some illusion that we are a big corporation out to rip off the world. Truth is, this is a small one-man operation with less than 100 clients and we only host our own clients, and they all know me pretty well. At best, MAYBE we've produced 500 hundred web sites in just under 20 years.

He claims we knew about these security issues for years and did nothing. Again, simply not true. I was not aware of these earlier posts he talks about.

My customers for the most part have trashed his email on their own. They too are horrified by his conduct, in fact most of them thought it was spam. My clients are calling him things like "a nut job", "whack job", crazy", and have advised me to not communicate with him at all.

At no time have I discounted the security concerns, I have them myself - and like I said to you, David, they are being addressed in an on-going basis and I appreciate knowing about them. If they were as serious as he claims, then I would have assumed the sites would have all been hacked and defaced by now.. and they have been live to the web for years... and still running.

For Mr Browne to go on and publicly defame myself and my company, calling me a thug, a criminal, a bully and not wanting to do anything about it, as he has told my clients, is just plain wrong. To me, Mr Browne's credibility is in question - facts are in error, conduct, breaches of privacy etc. He has jumped to conclusions and assumptions not based on fact.

Mr Browne is coming across as a bully. He has been labelled as one online. I am sure I have grounds for some serious legal action against the College and Mr. Browne personally - but that is really not something I want to pursue - but I do not like bullies or threats.

Thank you again David for trying to find out the rest of the story and not just going by what Mr Browne claims on his site - you may want to rethink the story, totally up to you on that one... Feel free to use my comments above, provided they are within context. (editors note:This response has been added in its entirety minus Owen's contact information) 

Conclusion.. maybe

Sam Bowne does have a noble calling even if at times it's a thankless one. Security on the web affects us all and issues need to be addressed as they arise. Still, a little nice goes a long way!

 

About Sam Bowne

Sam Bowne has given talks at DEFCON, BayThreat, LayerOne, Toorcon, and lightning talks at HOPE on Ethical Hacking, and taught classes and seminars at many other schools and teaching conferences.

He has a B.S. in Physics from Edinboro University of Pennsylvania and a Ph.D. in Physics from University of Illinois, Urbana-Champaign.

 

About Websmart

Web sites require dedicated effort to consistently update content, graphics, photos and answer site-related emails. For those not familiar with the technology, tools or even the language this can easily become a difficult, time consuming task. Let the experts at Websmart take care of those housekeeping details quickly and efficiently, freeing up valuable staff time for other duties. This will help ensure your web site is kept current both in its information and its contact within the Web World.

No computer program can replace what a live person can do. Nor can it provide the information, experience and creativity that is so often necessary in the quickly changing environment of the Internet. With our affordable and hassle-free Webmaster Support Packages, Websmart becomes your on-call Webmaster. Renewable annually, Support Packages are an economical way to update your web site and sustain your Internet presence. 

Switch to Stable Host