Security of Fiji’s Major Company Websites
Taking a look at the largest websites on the com.fj domain (Fiji domains) I was surprised that 8 out of the 11 websites I looked at had security flaws that can be detected in about 10 seconds (literally) with just a browser.
These websites were Vodafone, Connect, Fiji White Pages, AFL, Fiji Sun, Air Fiji, Fiji TV, Fiji Times among others.
Those that don’t have apparent security flaws:
Airports Fiji Limited
Air Fiji
Fiji Times
Those that have apparent security flaws:
Telecom Fiji Limited
Vulnerability: XSS, XSRF
Severity: Low
Note: No user accounts to exploit
Vodafone
Vulnerability: XSS, XSRF
Severity: Critical
Note: User accounts are affected. An attacker can log in as another user with their privileges
Connect
Vulnerability: XSS, XSRF
Severity: Critical
Note: User accounts are affected. An attacker can log in as another user with their privileges
Fiji White Pages
Vulnerability: XSS
Severity: Low
Note: There are no user accounts so users are not affected
Fiji Yellow Pages
Vulnerability: XSS, Blind SQL Injection
Severity: Medium
Note: There are no user accounts so users are not affected. However, the whole database is vulnerable to reading.
Fiji Sun
Vulnerability: XSS
Severity: Low
Note: There are no user accounts so users are not affected. Attack requires social engineering.
Fiji TV
Vulnerability: XSS, XSRF, SQL Injection
Severity: Critical
Note: User accounts are affected. An attacker can log in as another user with their privileges. Direct SQL injection can retrieve all user details and possiblity administrative access to the website.
South Pacific Stock Exchange
Vulnerability: Blind SQL Injection
Severity: Critical
Note: Blind SQL injection can blind read the database, and possibly gain administrative privileges.
Now this is quite a disturbing. I only tested two basic exploits, XSS and SQL Injection. The XSRF vulnerabilities are implied when XSS is present and user accounts are present on the same domain.
No need to panic, estimates claim that around 70% of the websites on the internet are vulnerable to XSS. What amazes me however, is that these are large corporate websites, their web developers should know better.
Disclaimer: I am not disclosing any details on the vulnerabilities found on the mentioned websites except the fact that they exists. You’ll have to take my word on it.
Update: As requested by JJ, here’s a look at the FVB website:
FVB
Vulnerability: XSS, Blind SQL Injection
Severity: Critical
Note: XSS can be used to log in as another user, possible gaining administrative privileges. Blind SQL injection can blind read the database, and possibly gain administrative privileges.
Related posts:
- Secure PHP Programming for Web Developers Security in PHP is the same as any server side programming language, they are all vulnerable to the same attacks....
- Wordpress and Fiji Time I noticed that the dates on blog posts were off by a day, since the default timezone on a Wordpress...
- It was Fiji Day? I didn’t even realize it was Fiji Day, I didn’t know it was a pulic holiday for that matter. Fiji...
… did u hv a look at the FVB site http://www.fijime.com for flaws?
Bula JJ,
I’ve taken a look at the FVB website and added the result to the list.
Hey why when we hover on top of the images it gives out a message void. You know we can disable Javascript and still copy your pics, but what do we need your pics for!!
And keep those articles coming………..
That is actually a JS error - I didn’t get to test that out in any browsers other then Firefox.