The Irish government has scored a rather embarrassing own goal when its new website promoting Internet and network security was discovered on its first day to have a potential vulnerability.
The Netsecure.ie site was unveiled on Wednesday by Minister for Communications, Marine and Natural Resources, Dermot Ahern, and is the official website of the National Awareness campaign on Computer security.
Unfortunately, within hours, the webmaster of Irish music site Cluas.com, Eoghan O'Neill found that the site could be spoofed and words and code inserted in an open asp script on the site. By running a long string of HTML in a Netsecure URL that started "http://www.netsecure.ie/netsecure/index.asp?maintitle=", he was able to do a mock-up of the Netsecure.ie front page but with his name and a picture of Mickey Mouse inserted instead. (You can see this at O'Neill site at http://www.cluas.com/netsecure.htm.)
Mr O'Neill admits that he is no security boffin but he told us when he visited the site he saw that the text appearing on the page also featured in the URL. With a bit of playing about he was able to create spoofed pages on Netsecure's server.
The Irish Government is less than pleased about the affair. Government spokesman Richard Moore was keen to point out the fact that Eoghan O'Neill at no point had access to the site and that what he had done was little more than make a photocopy of the site. "We have checked it out and the Netsecure site is completely secure," said Moore.
However, that security has only come after O'Neill warned Netsecure of the flaw (which is now fixed) and because he was not savvy enough to see how far he could push the exploit.
Neil Barrett, technical director at security consultancy Information Risk Management (IRM), explained that it looked as though the site has gone live with a broken test asp script still on it. ASP stands for Active Server Pages and is one of several languages used to make web pages on the fly. By leaving a script open though, Mr O'Neill was able to make Netsecure's server produce the page he asked it to.
This could obviously have been used to embarrass the Irish government (as indeed it was) by making an official site appear to show whatever someone else wished it to. But was it a security issue?
Probably, yes. Neil Barrett tells us it reminds him very much of an old PHP hack (PHP does the same sort of thing as ASP) in which it was possible to gain access to the host machine's hard drive. Since code going to and back from the server was accessible from a browser, Mr O'Neill could well have accessed Netsecure's hard drive by inserting "\\c:" - instructing the server to display the contents of its C drive. Mr O'Neill told us he didn't try this and so we shall never know.
Either way, it is hardly a ringing endorsement of the security campaign. "It's a bit sloppy, they were asking for trouble," says Neil Barrett. "Let's be honest, it was a bit of an own goal."