A Lost Parcel Results in a New Website

A Lost Parcel Results in a New Website

No this isn’t the real story about the rebuild of the davehall.consulting/> website. That was yesterday’s post. This post explains why Australia Post Global eCommerce Solutions (aka APG) rebuilttheir website using WordPress. No, DHC didn’t build it, we don’t do WordPress.

Back in October I ordered a Divoom Tivoom bluetooth pixel speaker from Amazon Australia. The speaker was shipped from Amazon UK using APG. Amazon insisted they gave the package to APG. For several days the APG tracking was showing that they were still waiting to receive my parcel.

When trying to lodge an enquiry using APG’s contact form it kept failing. Any submission with a single quote in the body cause an error. I could smell SQL injection. I started digging.

The contact form used Ajax to submit the request. The browser console was showing a 500 response code. The response body contained invalid SQL errors in the full HTML page stack trace. SQLi confirmed.

The stack trace contained some other useful information, including indications the site was using Zend Framework 1. I used Zend Framework back in the day, but ZF1 went end of life back in September 2016.

Reviewing the response headers revealed the site was using PHP 7.0.33. PHP 7.0 went end of life in January 2019.

It’s fair to say this site had a lot of problems. At this point I stopped digging as I wasn’t sure where I stood legally if I tried extracting data using these vulnerabilities. The last thing I needed was the cops on my door step.

I reported my findings through Australia Post’s Responsible Disclosure Program . While the site was clearly a mess, I was expecting a “thanks, but all of this is out of scope” response. After the confirmation email I didn%’t hear anything. I was very keen to see how the site would be remediated.

It turns out, APG/Australia Post considered the old website beyond redemption. Around a month after I reported the vulnerabilities, the site was relaunched on WordPress. I didn’t see the update until mid December. Upon contacting the Australia Post security team, they promptly added me to their list of recognised security researchers.

Too often it is the website, server or service that everyone has forgotten about that provides the foothold for an attacker. Keeping an accurate inventory of your digital assets is important, so you know what you have. Automated patching and proactive maintenance reduces the risk of running outdated software on internet facing systems.

If you need help with keeping your digital assets secure, talk to us about our devsecops services.