Saturday, April 19, 2008
A software security researcher has exploited a flaw in the sex offender registry webpage operated by the Oklahoma Department of Corrections.
The vulnerability, caused by a SQL query in the page's URL, allowed the researcher to download the Social Security numbers of more than 10,000 individuals.
The researcher, Alex Papadimoulis, managing partner of Berea, Ohio-based Inedo, a software development company and the editor of Dailywtf.com, which chronicles poorly designed software, told SCMagazineUS.com that he first learned about the vulnerability in early April when one of his readers told him about it. He said the reader tried unsuccessfully to contact the Oklahoma DoC himself, but couldn't get anyone's attention.
The reader told Papadimoulis that the URL pointing to the DoC site contained a SQL query string, in addition to the site's address. The SQL query string gave the visitor direct access to the SQL database containing the sex offenders' registry, which includes the name, address and other identifying information of sex offenders as mandated by federal law.
By manipulating the query string, however, Papadimoulis said he was able to download 10,597 records, complete with the Social Security numbers of those on the Oklahoma DoC's sexual offender registry. He used the SQL "SELECT command to retrieve the information, he said.
An Oklahoma DoC spokesman told SCMagazineUS.com that the department was aware of the problem and that it had taken the vulnerable page down last Friday. He said the database housing the sex offender database must be publicly available, according to law, and is shared with other law enforcement agencies.
"There's no indication anyone else has gotten into [the web page containing Social Security numbers], but who knows?" the spokesman said.
He said the DoC has not notified any of the victims that their Social Security numbers might have been exposed to potential criminal activity.
Papadimoulis said he "called just about everyone on the DoC's phone tree" before finally reaching someone who understood and could deal with the problem. At first, he said, the DoC did a partial fix of the vulnerability, but they still left the offending page online with the SQL string in the URL.
He said he finally told them they had to totally remove the SQL string from their URL to secure the site. They did so last week, he said.
Papadimoulis said he could foresee two scenarios when it might be necessary to include a SQL query string within a URL. One case might be in using Oracle's Portal, which the DoS used to build its sexual offender webpage. The other instance "is they just must be oblivious to developing web software,” he said.
"I describe it as 'negligently bad coding,'" Papadimoulis said. "This is the number one thing you should not do in web programming."
A December 2007 independent auditing firm's report concluded that the DoC's management information system needed to be upgraded or replaced.
“Ongoing planning and work on the internal development of a replacement for this system has been unsuccessful, leaving the department in an extremely vulnerable position,” the report, written by MGT of America, said.
Phil Neray, vice president of marketing at security vendor Guardium, agreed with Papadimoulis on the poor coding practices.
"The people who wrote the web application made some basic mistakes in how they wrote it, specifically in the case of SQL injections,” he told SCMagazineUS.com. “You need to verify the input from web application before forwarding the query to the database, and obviously they were not doing that."
* Vulnerabilities & Flaws
* Breaches & Exposures