Sify is one of India’s leading integrated Information Communications Technology companies. Sify was one of the first private sector player to offer internet access, when internet access was opened to private sector. It leased international bandwidth from global vendors, domestic connectivity from telecom players and set up last mile connectivity by multiple methods: wi-fi connections using roof top antennae, copper connections using phone lines or cable TV connections. Sify also started providing internet network connectivity for business enterprises in India. Sify set up a chain of franchised internet cafes (today a network of over 3,300+ cybercafes).
A critical Blind SQL Injection vulnerability has been discovered in Sify web portal. Any malicious black hat can create much more devastating attacks using this critical flaw which includes but not limited to – Uninterrupted database access; Database Dump; Possibility of shell uploading which may result in defacement of website.
Proof Of Concept
No data has been dumped; we just randomly tried the security of sify’s website and within no time this flaw has been discovered. After this various other flaws were also noticed. Database has been accessed just to take screenshots so that we can make company believe that the vulnerability actually exist.
Later on, we sent a reminder email to sify highlighting the said vulnerability and asked them to fix the same (in addition to dozens more) but it seems they didn’t even bother. So atlast we decided to post this disclosure publically.