Application on University of Mauritius website allows upload

April 2, 2015

I came across an application hosted on the University of Mauritius webserver which prompted me to question its security and maintenance. The application is actually a Content Management System specialized in sharing Earth sciences documents. It’s called RAMADDA. From the documentation on its website, the application, as many other Java based apps, has a meticulous configuration. Nevertheless it’s a huge and efficient application.

What I found on the University of Mauritius domain was that the application was running in public view, most probably due to misconfiguration. One could thus view resources and even edit them. Seriously? Yes.


Among the list of participants in a project I found the name of the Government Online Centre. Within its directory tree one could create a folder, edit a file or upload a new one.


The last entries logged date back to 2013. Seems like the application has not been used or maintained thereafter.


Let’s keep in mind that uploading a file would mean putting something on the University’s server. Does that sound harmful? We’ll see. The University is running Tomcat webserver and what damage can happen if someone uploads a .jsp page with malicious code? I assume it would run on the server.

To confirm I did a quick search to see what else is in public view. Oh, there is a shell script. Looks like someone’s gonna get hurt. The direct link to the shell script named displays the following in my browser:

# simple script to get data for running regcm simulation

# to be set by user 


# get surface data:

cd ..

# get sst data 
cd SST 
curl -o  ftp://$CDCSITE/
curl -o ftp://$CDCSITE/

That answers my previous question. Uploading a JSP coded page and accessing the same through a direct link on the server would indeed run the code on server-side.

On that note, I am sending an email to the University of Mauritius but… wait. Whom do I contact? The Contact Us link opens the home page of Damn. Let me just put the CITS[1] email of the University, CERT-MU and Mauritius Internet Users ML. Someone, somewhere in this country will surely know who should be looking after this apparently abandoned project.

[1] Centre for Information Technology & Systems (CITS)

Just for the sake of information, this is NOT the first time I am alerting the University of Mauritius about an application allowing “uploads” to happen on their server.


3 April 2015 - CITS replied promptly that remedial actions will be taken. MIU mailing list is cc’ed. 5 April 2015 - Three days after the initial post the resources are still accessible & vulnerable.