Update, 15 Aug 2012, 1:18pm IST: We have received a response from the office of the CEE thanking us for the information provided and assuring us that they have begun working to rectify the vulnerability.
Original article follows below:
Following our expose of BSNL’s massive security lapse that allows any attacker to manipulate the telecom giant’s entire customer database, another security activist has come forward with information about a shocking flaw in the Kerala State government’s Commissioner of Entrance Examinations website. This time, thousands of students who rely on the common entrance tests for admissions to higher education courses stand to be affected by malicious hackers who could tamper with the database or even replace it with manipulated information.
An SQL injection was used to load 'hack.txt' on the server and trick the database into displaying its contents
The Commissioner of Entrance Examinations (CEE) conducts 13 statewide entrance examinations for postgraduate courses including agriculture, law, ayurveda, dentistry, homoeopathy, nursing, pharmacology, and others. The CEE maintains two websites, www.cee-kerala.org, which contains information about the government undertaking and its activities, and cee.kerala.gov.in, which hosts application forms and the results of common entrance exams. It is this latter website on which the flaw has been found.
Similar to the BSNL exploit, this one also uses modified URLs to introduce an SQL injection that lets an attacker manipulate a database related to the Centralized Seat Allotment Process for Professional Degree Courses, 2012 (http://cee.kerala.gov.in/capresult2012/). The screenshot above shows a database of exam results with unexpected content, which was in fact placed there by the attacker. This proof of concept is designed to be easy to spot, but a crafty criminal could easily manipulate results to make people believe they have gained admission (or failed to do so). This in turn opens up opportunities to extort money or otherwise trick unsuspecting students. Our tipster simply uploaded a text file into the MySQL directory and then used an injection to make the database to display values contained within that file. Needless to say, he was also easily able to dump sensitive information from the database to a location of his own choosing.
SQL injection is the technique of sending commands to a database and the server software running it, through specially crafted URLs or data entry points. The purpose of an injection is to overwhelm the processes which ordinarily store such input as ordinary values and trick the underlying software into running them. In a worst-case scenario, an external attacker could take complete control of a web server, gain full access to databases, and steal their contents. Such information could then be used to socially manipulate or extort money from unsuspecting victims.
The Kerala CEE website hosts exam results and forms for applying for postgraduate courses.
Incidentally, the CEE website does not appear to use even basic SSL encryption for any of the course application pages or results pages on which students are expected to log in with a private application number.
The security worker who sent us this tip has tried informing the CEE of the existence of this vulnerability, but tells us that he received no reply from them. Our own email to the CEE at its published contact address has gone unanswered as well.