Case Study

Business Information Portal

Industry: Media

Location: North America

Scene

An E-Business information portal which underwent a major technical overhaul was the subject of the engagement which focused on the application level of the portal

The portal provides business information to international subscribers. The application had dynamic components and a user login feature to provide E-Mail and interaction between subscribers

The E-Business portal is a popular site with high numbers of regular visitors therefore reliability and robustness are key. Subscribers rely on the information from the site therefore security is also paramount.

Challenge

It was required to ensure that the new components of the portal were well protected against application level attack from the Internet.

Engagement

After discussions with the client it was decided the engagement would take the form of a vulnerability assessment of the application. Two valid subscriber accounts were supplied in order to investigate the application which was subjected to assessment techniques using open source web interceptor software.

Results

As the portal was subjected to application level attack a basic configuration mistake was found in the integrated PHP based forum software. The configuration mistake allowed any user to login as the administrator of the site and perform forum management features. These features allowed the following operations:

• Moderation of forum content
• Creation and delete user accounts
• Editing files on the server side
• Creation of user accounts using simple automated scripting
• Automated E-Mailing to each account defined in the forum

Risks to business

One of the most serious risks to business was seen as image degradation. If an attacker found the security issue rogue E-Mails could have been sent to site subscribers or arbitrary E-Mail accounts created in the forum.