Wednesday, February 25, 2009

CMS, URL *FAIL*

[Credit goes to Jeremiah Grossman for posting this up on twitter the other day...]

Some of us, those of us in IT Security, tend to look at the little things, for example the URL line when we browse around from site to site... and every once in a while we hit something like this:

http://www.house.gov/htbin/blog_inc?BLOG,tx14_paul,blog,999,All,Item%20not%20found,ID=090223_2687,TEMPLATE=postingdetail.shtml

There are just so many things wrong with this URL. First off, the part highlighted in red is interesting... "Item not found" ?? How odd, I wonder what the parameters for this are, and if it will take some nice system or SQL commands?

Now, of course being a .gov site I know they're monitoring it closely for hacking so I don't dare try and poke at this site, but it's hillarious. You can change the ID=xxxxxx_xxxx and depending on how good your guesses are you may get some other articles (maybe ones not yet set to publish?).

Anyway, you'd think the government would take security seriously, ... nevermind, I can't stop laughing.

No comments:

Google+