| Hacktivist group NullCrew recently announced a succesful intrusion (though intrusionette might be a better word) against a website in the DHS.GOV domain hierarchy.
DHS, of course, is the United States Department of Homeland Security.
The intrusionetted site was studyinthestates.dhs.gov, intended to help foreigners find out if and how they might be able to study at US schools, colleges and universities.
It looks as though the site was vulnerable to what's known as a directory traversal vulnerability.
That's where you construct a URL that persuades the server to navigate to a part of the web server you aren't supposed to be able to access, and to retrieve content from there.
Imagine, for example, that your webserver hosts a file that is available via the URL http://example.org/private.dat, but to logged-in users only.
If the server were to see an unauthorised GET request for /private.dat, you'd expect it to deny the request.
But your server needs to be careful that it doesn't let itself get tricked, for example by a request to retrieve a file such as /subdir/../private.dat instead. Read More .. |