Re: Information disclosure on govmu.org

From: S Moonesamy <sm+mu_at_elandsys.com>
Date: Mon, 13 Apr 2015 23:48:44 -0700

Hi Ish,
At 20:37 13-04-2015, Ish Sookun wrote:
> From your screenshot I am to believe you got "write" access under
> the directory you were browsing. Is that right? If yes, it's
> serious. Exposing a sensitive infrastructure where one could
> deposit say a "malware" from the Internet is serious.

The Government Online Centre sent a reply yesterday.

I am not sure whether it would be possible to get write access on
www.ncb.mu or cert-mu.govmu.org. There isn't any privacy policy for
cert-mu.govmu.org [1]. That web site disclosed information which the
Mauritian National Computer Security Incident Response Team did not
publish before now. I might consider the information as sensitive
whereas cert-mu.govmu.org might consider that it is okay to publish
the information. A Computer Security Incident Response Team usually
reports an issue as serious if the issue is a serious one. There
isn't any announcement on cert-mu.govmu.org.

I reported the issue as an information disclosure to avoid
exaggerating the issue. Providing for anyone to host malware on
infrastructure which I run is, in my humble opinion, a serious issue.

Regards,
S. Moonesamy

1. http://cert-mu.govmu.org/English/Pages/Disclaimer-Privacy-policy.aspx
Received on Tue Apr 14 2015 - 07:09:34 PST

This archive was generated by hypermail 2.3.0 : Tue Apr 14 2015 - 07:18:02 PST