The SQL Issue – Gibraltar Government

The great Gibraltar government has been struck by a cyber attack with the end result of being capable of editing overseas territory laws on their website.

This attack was discovered by a security researcher by the name of ‘Ax Sharma’ who spotted the vulnerability whilst looking through the Gibraltar government’s visa rules, accessible from the Gibraltar Borders and Coastguard Agency website. (Found Here)

If correctly exploited, a malicious attacker could have removed or upload files to the official repository of Gibraltar’s laws, alter text on the website and even list staff members’ details.

The attack was conducted whilst the security researcher was browsing for documents and coming across a page which stood out to the rest because of how old the page looks. He simply input a colon (:) into the URL which responded with by only displaying the header of the page with the rest of the contents blank. With this response, the colon itself was still present, just URL encoded (%27). By that alone he was convinced the website was indeed vulnerable. “The website was vulnerable to the easiest kind of SQL Injection: error-based.”

It turns out just below the header of the page there was SQL error text displayed in black below the page header. He discovered this by highlighting the page and the black text appearing in his highlight.

From this point onwards he started enumerating the entire website by listing all PDFs. This was not the only place the site was vulnerable to. The researcher found other areas where the same vulnerability was present. One of which was in a search box which he further exploited using an open source tool called ‘sqlmap’ which listed all databases including staff members and passwords.

This could have easily been avoided using a penetration testing service. Having these exposed pages with poor configurations would have been found in a penetration test.