Website Security Vulnerabilities Disclosures Board

When our online bug scanner (ScanForBugs.Online) identifies a High/ Critical & Certain vulnerability, we contact the concerned entity & inform them about it.

The bug may be disclosed here, subject to reduction as may be necessary to ensure users' privacy & security of the system.

Vulnerable Websites

img

cpmini.strathmore.edu

  • Bug: Unauthorized source-code exposure at cpmini.strathmore.edu
  • Description: Unauthorized source-code exposure at cpmini.strathmore.edu due to server misconfiguration
  • Severity: Critical
  • Confidence: Certain
  • #Source-code of /ussd.php
    
    setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    
    $query = "SELECT * FROM $usertable WHERE pin = $id LIMIT 1";
    
    $result = mysqli_query($conn, $query);
    
    $row = mysqli_fetch_assoc($result)
    
    
    
    
        
    
     $response="CON ".$row["sname"]." 1. Schedule an Appointment \n 2. Reschedule your Appointment \n 3. Request Test Result";
    
    
     }else if( $level[0]=="")
    {
    
    
     $response="END Wrong Input, Try Again";
    
    
    
    }else{
    
    $response="CON Enter Second Name \n\n 0:Back  99:Main Menu";
    
    
    }
    
    
    
    
    
    }
     else if(isset($level[2]) && $level[2]!="" && !isset($level[3])){
    
    
    
    
    
    
    
      if ( $level[0]==2) {
    
     $response="CON 1. HIV/AIDS Appointment \n 2. Malaria Appointment \n 3. Tuberculosis Appointment";
    
    
     }else if( $level[0]=="")
    {
    
    
     $response="END Wrong Input, Try Again";
    
    
    
    }else{
    
    
          $response="CON Enter National ID \n\n 0:Back  99:Main Menu";
    
    
    
    }
    
     }
    
      else if(isset($level[3]) && $level[3]!="" && !isset($level[4])){
    
    
    
    
     if ( $level[0]==2) {
    
     $response="CON When do you want to book Appointment \n 1. January 15th 2018 \n 2. January 30th 2018 \n 3. February 3rd ,2018  \n 4. February 10th 2018";
    
    
     }else if( $level[0]=="")
    {
    
    
     $response="END Wrong Input, Try Again";
    
    
    
    }else{
    
    $response="CON Enter County \n\n 0:Back  99:Main Menu";
    
    
    
    
    }
    
    
    
    
    
    
    
           
     }
     
     else if(isset($level[4]) && $level[4]!="" && !isset($level[5])){
    
    
    
    
    
    
     if ( $level[0]==2) {
    
     $response="CON Available Slots \n 1. 9:00 - 9:30 \n 2. 11:00 - 11:30 \n 3. 2:00 - 2:30 \n 4. None of them Works";
    
    
     }else if( $level[0]=="")
    {
    
    
     $response="END Wrong Input, Try Again";
    
    
    
    }else{
    
    $response="CON Enter Year of Birth \n\n 0:Back  99:Main Menu";
    
    
    
    
    }
    
    
    
    
          
     }
    
    
     else if(isset($level[5]) && $level[5]!="" && !isset($level[6])){
    
    
    
    
    
    
    
    
    
     if ( $level[0]==2) {
    
     $response="CON You reserved the following slot for HIV/AIDS diagnosis for Tuesday January 30th 2018 from 2:00 - 2:30 pm. Reply 1 to Confirm and 2 to Cancel";
    
    
     }else if( $level[0]=="")
    {
    
    
     $response="END Wrong Input, Try Again";
    
    
    
    }else{
    
      $response="CON Select the Gender .\n 1. Male  \n 2. Female  \n 3. Other";
    
    
    
    
    }
    
    
    
    
    
    
          
     }
    
     else if(isset($level[6]) && $level[6]!="" && !isset($level[7])){
    
    
    
    
    
    
    
    
     if ( $level[0]==2) {
    
     $response="CON Confirmed Appointment for HIV/AIDS diagnosis for Tuesday January 30th 2018 from 2:00 - 2:30 pm. \n Confirmation Code #26535353";
    
    
     }else if( $level[0]=="")
    {
    
    
     $response="END Wrong Input, Try Again";
    
    
    
    }else{
    
    
            $response="CON Enter New Cumasu PIN \n\n 0:Back  99:Main Menu";
    
    
    
    
    }
    
    
    
    
          
     }
    
    
      
    
     else if(isset($level[7]) && $level[7]!="" && !isset($level[8])){
    
           $response="CON Re-Enter Cumasu PIN  \n\n 0:Back  99:Main Menu";
    
    
          
     }
     //Save data to database
    
    
    
     else if(isset($level[8]) && $level[8]!="" && !isset($level[9])){
     //Save data to database
    
    
    
     // $data=array(
     // 'phonenumber'=>$phonenumber,
     // 'fullname' =>$level[1],
     // 'electoral_ward' => $level[2],
     // 'national_id'=>$level[3]
     // );
    //Insert the values into the db SOMEWHERE HERE!!
    //We end the session using the keyword END.
    
    
          $fname=$level[1];
          $sname=$level[2];
          $national_id=$level[3];
          $county=$level[4];
          $yob=$level[5];
          $gender=$level[6];
          $pin=$level[7];
          $pinold=$level[8];
    
    
          if($pin==$pinold){
    
    
    
      $response="CON User Registration Successful.. ".$fname."  \n\n 0:Back  99:Main Menu";
    
       
    
    //$response="END Thank you ".$full_name.$email.$phone_number." for registering.\nWe will keep you updated"; 
    
          
    $servername = "localhost";
    $username = "county";
    $password = "cpmini#2017";
    $dbname = "cpmini_kajiado_test";
    
    
    header('Content-type: text/plain');
    
    $conn = new PDO("mysql:host=$servername;dbname=$dbname", $username, $password);
    
    $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
    
        $sql  = "INSERT INTO user_cumasu (fname, sname, national_id, county, yob, gender, pin) VALUES('$fname' ,'$sname' ,'$national_id' ,'$county' ,'$yob' ,'$gender' ,'$pin')";
    
    
       //  $sql  = "INSERT INTO customer (phone, email, full_name) VALUES('$full_name' ,'$email' ,'$phone_number')";
    
         $conn->exec($sql);
    
    
    
          }else{
    
     $response="CON The PIN does not match";
    
    
          }
    
    
    
    
    }
    
    header('Content-type: text/plain');
    
    
            
           if($sql==""){
    
          echo $response;
    
    
           }else{
    
           
     
           // $sth->execute();
    
           // echo"Response Ending";
           echo $response;
    
    
           }
    
    //}
    ?>
  • For details on how to reproduce the bug & fix it: [scan cpmini.strathmore.edu Here]
img

online.strathmore.edu

  • Bug: Unauthorized Access to Application Source Code at online.strathmore.edu
  • Description: The website's source code is publicly accessible due to a server misconfiguration.
  • Severity: Critical
  • Confidence: Certain
  • #Source Code of File: online.strathmore.edu/enrol/otherusers.php
    
    .
    
    /**
    * List and modify users that are not enrolled but still have a role in course.
    *
    * @package core_enrol
    * @copyright 2010 Petr Skoda {@link http://skodak.org}
    * @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later
    */
    
    require('../config.php');
    require_once("$CFG->dirroot/enrol/locallib.php");
    require_once("$CFG->dirroot/enrol/renderer.php");
    require_once("$CFG->dirroot/group/lib.php");
    
    $id = required_param('id', PARAM_INT); // course id
    $action = optional_param('action', '', PARAM_ALPHANUMEXT);
    $filter = optional_param('ifilter', 0, PARAM_INT);
    
    $course = $DB->get_record('course', array('id'=>$id), '*', MUST_EXIST);
    $context = context_course::instance($course->id, MUST_EXIST);
    
    require_login($course);
    require_capability('moodle/course:reviewotherusers', $context);
    
    if ($course->id == SITEID) {
    redirect("$CFG->wwwroot/");
    }
    
    $PAGE->set_pagelayout('admin');
    
    $manager = new course_enrolment_manager($PAGE, $course, $filter);
    $table = new course_enrolment_other_users_table($manager, $PAGE);
    $PAGE->set_url('/enrol/otherusers.php', $manager->get_url_params()+$table->get_url_params());
    navigation_node::override_active_url(new moodle_url('/enrol/otherusers.php', array('id' => $id)));
    
    $userdetails = array (
    'picture' => false,
    'userfullnamedisplay' => false,
    'firstname' => get_string('firstname'),
    'lastname' => get_string('lastname'),
    );
    $extrafields = get_extra_user_fields($context);
    foreach ($extrafields as $field) {
    $userdetails[$field] = get_user_field_name($field);
    }
    
    $fields = array(
    'userdetails' => $userdetails,
    'lastaccess' => get_string('lastaccess'),
    'role' => get_string('roles', 'role')
    );
    
    // Remove hidden fields if the user has no access
    if (!has_capability('moodle/course:viewhiddenuserfields', $context)) {
    $hiddenfields = array_flip(explode(',', $CFG->hiddenuserfields));
    if (isset($hiddenfields['lastaccess'])) {
    unset($fields['lastaccess']);
    }
    }
    
    $table->set_fields($fields, $OUTPUT);
    
    //$users = $manager->get_other_users($table->sort, $table->sortdirection, $table->page, $table->perpage);
    
    $renderer = $PAGE->get_renderer('core_enrol');
    $canassign = has_capability('moodle/role:assign', $manager->get_context());
    $users = $manager->get_other_users_for_display($renderer, $PAGE->url, $table->sort, $table->sortdirection, $table->page, $table->perpage);
    $assignableroles = $manager->get_assignable_roles(true);
    foreach ($users as $userid=>&$user) {
    $user['picture'] = $OUTPUT->render($user['picture']);
    $user['role'] = $renderer->user_roles_and_actions($userid, $user['roles'], $assignableroles, $canassign, $PAGE->url);
    }
    
    $table->set_total_users($manager->get_total_other_users());
    $table->set_users($users);
    
    $PAGE->set_title($course->fullname.': '.get_string('totalotherusers', 'enrol', $manager->get_total_other_users()));
    $PAGE->set_heading($PAGE->title);
    
    echo $OUTPUT->header();
    echo $renderer->render($table);
    echo $OUTPUT->footer();
  • For details on how to reproduce the bug & fix it: [scan online.strathmore.edu Here]
img

https://k24tv.co.ke/

  • Bug: Unauthorized Access to Application Source Code at https://K24tv.co.ke
  • Description: The application's source code is publicly accessible due to a server misconfiguration.
  • Severity: Critical
  • Confidence: Certain
  • Snippet of file: wp-config.php:
    //define( 'DB_NAME', 'k24tv_20190623' );
    define( 'DB_NAME', 'mediamax_k24tv_wp');
    define( 'DB_USER', 'mediamax');
    define( 'DB_PASSWORD', 'vSTgz6ZRc8' );
    define( 'DB_HOST', 'localhost' );
  • For details on how to reproduce the bug & fix it: [scan https://k24tv.co.ke/ Here]