Application on University of Mauritius website allows upload
I came across an application hosted on the University of Mauritius webserver which prompted me to question its security and maintenance. The application is actually a Content Management System specialized in sharing Earth sciences documents. It's called RAMADDA. From the documentation on its website, the application, as many other Java based apps, has a meticulous configuration. Nevertheless it's a huge and efficient application.
What I found on the University of Mauritius domain was that the application was running in public view, most probably due to misconfiguration. One could thus view resources and even edit them. Seriously? Yes.
Among the list of participants in a project I found the name of the Government Online Centre. Within its directory tree one could create a folder, edit a file or upload a new one.
The last entries logged date back to 2013. Seems like the application has not been used or maintained thereafter.
Let's keep in mind that uploading a file would mean putting something on the University's server. Does that sound harmful? We'll see. The University is running Tomcat webserver and what damage can happen if someone uploads a
.jsp page with malicious code? I assume it would run on the server.
To confirm I did a quick search to see what else is in public view. Oh, there is a shell script. Looks like someone's gonna get hurt. The direct link to the shell script named
getregcmdata.sh displays the following in my browser:
# simple script to get data for running regcm simulation # to be set by user REGCM_GLOBEDAT=$PWD mkdir SURFACE CLM SST AERGLOB EIN15 # get surface data: cd SURFACE wget http://clima-dods.ictp.it/regcm4/data/SURFACE/GLCC_BATS_30s.nc wget http://clima-dods.ictp.it/regcm4/data/SURFACE/GTOPO_DEM_30s.nc cd .. # get sst data cd SST CDCSITE="ftp.cdc.noaa.gov/pub/Datasets/noaa.oisst.v2" curl -o sst.wkmean.1981-1989.nc ftp://$CDCSITE/sst.wkmean.1981-1989.nc curl -o sst.wkmean.1990-present.nc ftp://$CDCSITE/sst.wkmean.1990-present.nc
That answers my previous question. Uploading a JSP coded page and accessing the same through a direct link on the server would indeed run the code on server-side.
On that note, I am sending an email to the University of Mauritius but... wait. Whom do I contact? The Contact Us link opens the home page of www.undp-adaptation.org. Damn. Let me just put the CITS email of the University, CERT-MU and Mauritius Internet Users ML. Someone, somewhere in this country will surely know who should be looking after this apparently abandoned project.
 Centre for Information Technology & Systems (CITS)
3 April 2015 - CITS replied promptly that remedial actions will be taken. MIU mailing list is cc'ed.
5 April 2015 - Three days after the initial post the resources are still accessible & vulnerable.