A Security Vulnerability Let Anyone “Rewrite the Laws” of Gibraltar
To an everyday internet user, this doesn’t mean much, but when the front page of HM Government of Gibraltar Laws and Legislation website looks as follows, a techie would get suspicious. Notice the Secure Site logo at the bottom now as this is going to get interesting!
The outlink mentioned above, when clicked, displayed PDFs of laws and amendments under the Gibraltar Immigration Act, as predictable:
Output of the link with a single quote added:
Unlike previous few pages which showed links to PDFs of laws and amendments, nothing appeared other than the page header for the link with a ‘at the end, or so it seemed at first glance. This could just have been an error due to a “bad URL,” i.e. a 404 — not found page. Upon selecting and highlighting the entire page, however, the black-on-black text became suddenly visible!
Error in query: SELECT * FROM `article` WHERE group_id=’000000062'’ AND category=’c’. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘c’’ at line 1
along with the fields that follow, giving an attacker the perfect opportunity to craft malicious input accordingly.
would be processed by a database engine normally, as a value. A crafted input provided in place of the username, like
may instead cause a vulnerable system to let an attacker access the user’s (Michael’s) account without requiring a password.
or an invalid value dumped all PDFs:
) on the webpage, or a name with one, such as Derick O’Brian, will lead to a rather verbose SQL error message:
Error in query: SELECT * FROM industrial_tribunal_judgement WHERE itj_title LIKE ‘%’%’ OR itj_case_number LIKE ‘%’%’ OR itj_keywords LIKE ‘%’%’ AND itj_keywords LIKE ‘%%’ AND itj_keywords LIKE ‘%%’ AND itj_keywords LIKE ‘%%’ AND itj_keywords LIKE ‘%%’ AND (itj_tribunal = ‘dummy’ OR itj_tribunal = ‘t’ OR itj_tribunal = ‘a’) AND (itj_type = ‘dummy’ OR itj_type = ‘j’ OR itj_type = ‘d’ OR itj_type = ‘r’) ORDER BY itj_date_passed DESC. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘%’ OR itj_case_number LIKE ‘%’%’ OR itj_keywords LIKE ‘%’%’ AND itj_keywords LI’ at line 1
./sqlmap.py -u <URL> --schema
is enough to list all the databases and tables contained within a MySQL instance.
table when analysed further with
command, revealed: the staff member names, usernames, password digests (hashes), the IP addresses used at the time of account registration, and other information. This is information about staff members who likely manage the content on the website, with enough privileges to edit or delete any articles, laws, amendments, and attached documents on the website — including pieces of legislation dating all the way back from 1887 to present day, 2020.
and other tools have inbuilt options to further analyse a table and offer quick dictionary-based ‘guessing’ of certain password digests on it, offline. A quick analysis of the digests revealed one of the passwords was extremely weak — a mere 6-digit date combination (perhaps a date of birth or anniversary). Although the password digest was stored in the table rather than the actual plaintext password, the password got easily revealed in less than a second. After all, even a regular computer can very well throw over 100,000 guesses per second and to crack a 6-digit password would be a piece of cake.
Once an attacker can get their hands on the username and password, they can modify or delete anything using the website’s CMS — including the very laws.
The not-so-subtle Modify|Delete links on every page make thiss possible:
Sample login screen presented prior to modifying or deleting content:
Bam! A successful login enables an attacker to “rewrite any law”, delete or upload new PDFs and tamper with other data. Yup, not going to try deletion but I’m sure it works:
So next time you choose to put a Secure Site logo at the bottom, make sure you’re covered against the most common critical vulnerabilities. 😉
Gibraltar Laws website launched Jan 6, 2020: