Configuration flaw on Chintee.com exposes database connection details

If you visit www.chintee.com, the Reliance ADAG owned site, you’ll be able to save the php file serving the front page. And the php file includes the database connection details — with databasename, user id and the password.

This vulnerability is caused because of an apache web server config setting.

Wake up guys !! With 900K users on BigAdda and even more on Zapak, you cant afford to screw up like this.

Similar Posts

• BigAdda - Hype or Happening ?
• BigAdda releases numbers
• Amitabh blogs on BigAdda - what a shitty gimmick from BigAdda

Comments

13 Responses to “Configuration flaw on Chintee.com exposes database connection details”

1. balaji on January 5th, 2008 5:22 am

   what is the relation of the site with Zapak and BigAdda? Do all these use same DB server or what?

2. Gaurav on January 6th, 2008 1:40 am

   Wow, they haven’t fixed it yet. Good find!

3. sudhanshu on January 6th, 2008 6:41 am

   balaji, all of them are from reliance..

   however, I don’t think anything is lost yet. they could have disallowed internet access to the db. but it sure looks stupid..

4. ram on January 6th, 2008 1:42 pm

   it looks stupid, i have downloaded the file, looks like they are using the same db for bigadda also, Bigadda is based on Phpizabi, the db username shows that (Bigadda URls are similar to phpizabi). Not only the index file the other files also have the db details, see the polls file.

5. pranav on January 6th, 2008 3:07 pm

   @ram,

   I’m not sure if they have the same db for bigadda. It might be the possibility that they just named the db tables as bigadda_*…Remember that before bigadda was launched, it had a similar blog / comments section for selecting the logo..

6. Abhishek Goyal on January 6th, 2008 3:26 pm

   To me, it smells like costly acquisitions in future

7. mytechiedata on January 7th, 2008 1:50 am

   Here’s another one from Vodafone…
   Just try this URL

   http://ebp3.vodafone.in/mumbai/viewer/viewframeset.jsp?name=/MumbaiEBP/BC01/20071201/8.xxxxxxxx.00.00.xxxxxx.roi&userID=wssuser1&password=wssbill&checksum=xxxxxxxxxx

   The portions with the ‘x’ character are my own details that I have blanked out no purpose.

   As you notice the URL has details of the server user name and password.

   This flaw is easily noticeable in the Firefox browser when you log in to check your bill details from Vodafone.

   I raised a request with them to fix it - but apparently, no one is bothered

   Cheers,
   VodafoneUser

8. pranav on January 7th, 2008 2:01 am

   @mytechiedata

   that happens when you use a GET method for submitting login forms instead of a POST.

   GET methods should never be used on http requests while submitting a form.

   miserable programming on their behalf.

9. mytechiedata on January 7th, 2008 3:21 am

   @pranav
   What is worse is that google caches the URL as well
   Try searching for wssuser1 or wssbill

   

10. Sasidhar on January 7th, 2008 4:36 am

    Thats sad. Imagine the hordes of users who are at risk.
    The php page is giving out the production server database connection details !

11. Information Madness on January 7th, 2008 9:51 am

    This shows how pathetic the development quality is. Who the hell wants to store database connection information in each and every file? Can’t they store that in some configuration file and restritct the access.

    Indian companies are running the race of Social Networks and can’t maintain the quality and integrity.

    Its going to be the end user who has to suffer.

12. Debashish on January 8th, 2008 10:10 am

    Ha ha ha! Good catch and they are still dozing it seems On one side they are claiming of such huge user base and on the other nobody from their side cares if the production site is even working. Huh!

13. pranav on January 8th, 2008 1:49 pm

    @debashish

    I was hoping that someone would wake up at R-ADAG and correct the problem.

    hopefully, they realize their db details have been exposed and at least change the db credentials later.