The Physics Department of the University of Patras fell victim attacks Turkish hackers, who found the opportunity to request in their own way the extradition of the 8 Turkish soldiers who came to Greece immediately after the coup against the government of Recep Tayyip Erdoğan.
Thus, on Wednesday, February 1, the official website of the Department of Physics of the University of Patras was found distorted by the spelled message of the Turkish hackers who demanded that we return our "soldiers".
And the whole page:
Let's say that if you look at the page of the University of Patras today it has returned to its original form and it is as if it did not precede an attack. But according to a complaint we received from our reader (Nyo / GHS) the vulnerability that allowed the Turks to post their message is still open, that is, it has not been repaired.
To prove this, the researcher sent us a screenshot that is distinguished that he has been linked to the site with the University Secretariat account. So as you can see if the vulnerability still exists, anyone can use it.
The gap security may not give full access στο site ή στον server καθώς οι τεχνικοί του Πανεπιστημίου έχουν προσθέσει ορισμένα φίλτρα, αλλά είναι εξίσου σοβαρό γιατί αφήνει κάποιον κακόβουλο ή μη κακόβουλο χρήστη να προσθέσει κώδικα σε μορφή html ή javascript και να επηρεάσει όλους όσους μπαίνουν στο site. Φυσικά με την javascript μπορούν να παραμορφώσουν όλη τη σελίδα (Post Reflected Deface).
Please note that the link to vulnerability is available to everyone and is located on the page footer. Members use it as well as the site management team. The attack from this point was a very simple SQL injection (SQLi) format.
With a very simple SQLi query, Nyo managed to overtake the login form and get into the site. From the management panel, you could make posts, upload files, and more, as you'll see below:
Meanwhile, it is worth mentioning that the SQLi query used by Nyo was very simple and the researcher pointed out that it could affect the site's publications with Persistent XSS.
With the same method it could affect both the admin and the visitors of the page, changing pages and posts and adding malicious scripts.
We should mention that we are impressed that even today such a security gap continues to exist, leaving exposed data of the page but also from the administrator to its visitors.
Nyo even told us that the gap is not new, that there is a long time ago and that the page has been hacked by hackers who used exactly the same SQLi.
Let's hope that this time it will be repaired, before anyone else begins to take on how effective a hacker is, on a page that no one fixes.
SecNews.gr remains at the disposal of any interested administrator who wants to fix the vulnerability.