Hi, Considering the fact you didn't inform the concern authority at both the universities (before disclosing publicly), are you not breaking Indian IT Act by doing such type of public disclosure [1]? IANAL but if you (someone else on list) have something to say about this point it would be cool.
[1] IT Act 2000, Chapter 9, 43 (G) ( http://www.cybercellmumbai.com/cyber-laws/chapter-9 ) Regards Shreyas Zare Sr. Information Security Researcher Secfence Technologies www.secfence.com On Sat, Jul 17, 2010 at 3:01 PM, Sandeep Sengupta <[email protected]> wrote: > Topic: > > a) Sikkim Manipal University portal is vulnerable to SQL Injection attack. > b) Calcutta University website is spreading malware via iframe code > insertion. > > Details: > > a) About the university: Sikkim Manipal is one of the largest private > University in India. The Institute attracts students from all over the > country, with over 1700 students enrolled in the various engineering > disciplines. 102 full-time faculties are employed. > > Type of problem: SQL Injection > > Vulnerable Portal: http://portal.smude.edu.in/ > > User Name: sanjay > [any name will work] > Password: ' OR ''=' > Choose "Center Login" radio button > Press SUBMIT. > > Screenshot: http://www.isolutionindia.com/isolutionindia/disclosure/SM.JPG > > Effect: You have access to the main admin panel. Option to download & print > ALL student records, contact information, admit cards for upcoming > examinations, assignments, results, etc. Option to change password. > > Credit: Pradip Sharma, Surajit Biswas, Sandeep Sengupta; Cyber Security > Research Analysts, iSolution Software Systems Pvt. Ltd., > www.isolutionindia.com > > b) Calcutta University is the oldest existing University in Indian > Subcontinent. Founded 1857, it is ranked 39th in the world. > > Vulnerability: The main page is spreading virus. www.caluniv.ac.in > It has iframe code injection & pulling virus from the Russian site > pantscow.ru > Hundreds will be infected while checking for results on the website. > > Screenshot: http://www.isolutionindia.com/isolutionindia/disclosure/CU.JPG > > Credit: Arnab Kanti Choudhury, Sandeep Sengupta; Cyber Security Research > Analysts, iSolution Software Systems Pvt. Ltd., www.isolutionindia.com > > Disclaimer: The above information has been published with intention that the > concerned authorities will take notice & amend the bugs. People are > requested not to use the above information for illegal actions. We take no > responsibility of the consequences. > > Thanks. > > Cyber Security Research Team > iSolution Software Systems Pvt. Ltd. > www.isolutionindia.com > Mob: +91 9830310550 > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
