I came across an application hosted on the University of Mauritius webserver which prompted me to question its security and maintenance. The application is actually a Content Management System specialized in sharing Earth sciences documents. It's called RAMADDA. From the documentation on its website, the application, as many other Java based apps, has a meticulous configuration. Nevertheless it's a huge and efficient application.

What I found on the University of Mauritius domain was that the application was running in public view, most probably due to misconfiguration. One could thus view resources and even edit them. Seriously? Yes.

uom-ramadda-1

Among the list of participants in a project I found the name of the Government Online Centre. Within its directory tree one could create a folder, edit a file or upload a new one.

uom-ramadda-add-file

The last entries logged date back to 2013. Seems like the application has not been used or maintained thereafter.

uom-ramadda-2

Let's keep in mind that uploading a file would mean putting something on the University's server. Does that sound harmful? We'll see. The University is running Tomcat webserver and what damage can happen if someone uploads a .jsp page with malicious code? I assume it would run on the server.

To confirm I did a quick search to see what else is in public view. Oh, there is a shell script. Looks like someone's gonna get hurt. The direct link to the shell script named getregcmdata.sh displays the following in my browser:

# simple script to get data for running regcm simulation

# to be set by user 
REGCM_GLOBEDAT=$PWD

mkdir SURFACE CLM SST AERGLOB EIN15

# get surface data:

cd SURFACE 
wget  http://clima-dods.ictp.it/regcm4/data/SURFACE/GLCC_BATS_30s.nc
wget  http://clima-dods.ictp.it/regcm4/data/SURFACE/GTOPO_DEM_30s.nc
cd ..

# get sst data 
cd SST 
CDCSITE="ftp.cdc.noaa.gov/pub/Datasets/noaa.oisst.v2" 
curl -o sst.wkmean.1981-1989.nc  ftp://$CDCSITE/sst.wkmean.1981-1989.nc
curl -o sst.wkmean.1990-present.nc ftp://$CDCSITE/sst.wkmean.1990-present.nc

That answers my previous question. Uploading a JSP coded page and accessing the same through a direct link on the server would indeed run the code on server-side.

On that note, I am sending an email to the University of Mauritius but... wait. Whom do I contact? The Contact Us link opens the home page of www.undp-adaptation.org. Damn. Let me just put the CITS[1] email of the University, CERT-MU and Mauritius Internet Users ML. Someone, somewhere in this country will surely know who should be looking after this apparently abandoned project.

[1] Centre for Information Technology & Systems (CITS)

Just for the sake of information, this is NOT the first time I am alerting the University of Mauritius about an application allowing "uploads" to happen on their server.

Update

3 April 2015 - CITS replied promptly that remedial actions will be taken. MIU mailing list is cc'ed.
5 April 2015 - Three days after the initial post the resources are still accessible & vulnerable.