Monday, February 26, 2007

Site: www.tcs.com (Tata Consultancy Services)
Multiple SQL Injection/XSS bugs
Risk: Medium-High



The company which can't secure it's site is providing services on Security. WOW !!!
http://www.tcs.com/esecurity => Check this out ;)



SQL Injection - Do you want me to be the DBA ;) ??



Cross Site Scripting - Do you see phishing coming your way ;) ??




I sent an email back in December 2006, they're so responsible not to fix their bugs even after 2 months. I sent the email to their Information Security Manager, Chennai, not to admin/webmaster/or any default address. No response until date (see picture)

Email sent to "Full-Disclosure - We believe in it ;)"

Cheers :)

2 comments:

Anonymous said...

Quite trivial to find flaws like this in major sites... move alomg nothing to see...

Scarlet Pimpernel said...

I never claimed this to be the next big threat to the Internet. If you assumed so, you probably have a selective reading bug in your retina.

This isn't cool or ground breaking, it's rather lame, but not so lame to be Database Administrator for a big company like TCS remotely.

The point, is that they don't secure themselves and provide "security" related services.

This is orders of magnitude easier to exploit than buffer overflows, and the threat is very real...

If you can't understand the threat this can pose, you must realize by now that the database for an organization as big as this is like a pile of diamonds.

Cheers :)