So, a new post showed up on Security list about how to get the relevant personnel know about the vulnerabilities that KP Website would be having. http://lists.my.co.ke/pipermail/security/2011-March/001725.html
If you check for obvious vulnerabilities with your browser e.g Cross Site scripting, SQL Injection, hidden directories, its much easier with lack of WAF (Web Application Firewall), and bad coding tactics.
With such obvious flaws, we can actually get a sense of how Government infrastructure is, and how vulnerable applications running confidential information are, e.g Civil Servant information, NSSF information, Health Organization, Ongoing Corruption investigations etc. With such information being in susceptible vulnerable infrastructures, in case of a cyber attack, its would be easy to overwhelm and bypass the Governments intergrity and confidentiality.
Back to KP website, pages like report_a_crime.asp, lost.asp, site_search.asp, crime_reports_processor.asp, contactus.asp and several others are vulnerable to serious security flaws, especial the Top Ten Owasp Risks. This is due to non-sanitized pages with page variables like, category, details, name, email_address, telephone, txtAnswer etc.
Security Assessments for Kenyan Goverment Infrastracture should be enforced, and use of Information Security Policies should be introduced. MOD or any other law enforcement organization should at least have a Task Force that does tests once in a while by assuming cyber attacks, and such common vulnerabilities on KP webserver should no longer exist (very embarrasing flaws).
NB, i have not disclosed to anyone how to inject or exploit these vulnerabilities, KP has not been informed yet, so the site is still vulnerable. Please also note that, any information i have shown here should NOT be misused, if so, use at your own risk.
Posted by Chucks