KARACHI: The official website of Sindh Revenue Board (SRB) has been identified as cyber-vulnerable and prone to citizen’s data leakage.
National Telecom and Information Technology Security Board (NTISB) has issued an advisory through a notification dated March 03, 2021.
It said that critical vulnerabilities had been identified in website of SRB (notification can be downloaded https://download1.fbr.gov.pk/Docs/202131115323494Advisory8.pdf) that may result in database access and manipulation, exfilteration of sensitive data, remote take-over of users’ sessions and website defacement.
Identified vulnerabilities are as under:
a. SQL injection in database
b. Citizen’s data leakage
c. Cross site scripting
d. Unecrypted/plain text transfer of users’ credentials
e. Cross site request forgery
f. Microsoft IIS Tilde directory enumeration
g. Internal IP addresses and server-side paths disclosure
h. Session cookies lacking secure flags
i. Server/ASP net version disclosure
j. Stack traces and error messages on web pages
k. Server-side technology stack documentation pages on public website.
For impact of above mentioned vulnerabilities and guidelines for prevention can be downloaded https://download1.fbr.gov.pk/Docs/202131115323494Advisory8.pdf