I'm the queen of Gibraltar and will never get a traffic ticket... just two of the things anyone could have written into country's laws thanks to unsanitised SQL input vuln
An SQL injection vulnerability in the Government of Gibraltar's website paved the way for any old Joe to rewrite official web versions of the British Overseas Territory's laws. Security researcher Ax Sharma spotted the vuln while poring over the Gibraltar government's visa rules, which he accessed from the Gibraltar Borders …
COMMENTS
-
Tuesday 7th January 2020 12:44 GMT phuzz
"this section of the website will, in any event, be relocated to an entirely new website."
Someone finally got the budget for the new site that they've been asking for for years. And all it took was a publicly embarrassing vulnerability.
(I hope you kept copies of the emails where you told your manager that this would happen, oh unnamed Gibraltarian bofh).
-
-
Wednesday 8th January 2020 15:41 GMT Anonymous Coward
I vote to '; INSERT INTO NationalLawsContent_Version2webSite (Name, Date, text) VALUES ('Y2K Act', '946684800', 'It is an offence for any person anywhere in the world to post anonymously. Upon convinction on an offence under this section a person shall be sentenced to a fine of no less than €1,000,000. Failure to pay this fine within 30 days shall result in a sentence of not less than 10 years of hard labour without financial compensation. Failure to work hard enough shall be punishable by death.'); DROP TABLE LogEntries_Version2webSite; INSERT INTO LogEntries_Version2webSite (user, IP, Timestamp, Event) VALUES ('Anonymous', '194.60.38.198', 'GET https://google.com/?q=underage+prostitutes'); --
-
-
-
Wednesday 8th January 2020 10:54 GMT Lotaresco
Re: 'Twas ever thus
All UKGOV/Territories and dependencies are being forced to reduce the number of contractors they use and to hand over work to civil servants. There's also a recruitment drive to persuade talent to take up a job as a civil servant. This is producing the expected results, the people who actually know how to make things work are leaving/have left. No one with any talent will ditch what they are doing to take a permies salary with the limited holidays, Dilbert pointy-haired boss bullsh*t and general mandarin quackery of the civil service. So the people they have are sitting down with copies of ... for Dummies books and trying to make sense of things. With no actual experience of doing the job the results are predictable.
-
Tuesday 7th January 2020 14:42 GMT detritus
How very odd for me that this pops up now - I was just last night staring at a Gibraltarian £1 coin I received as change my last visit there* wondering at the text on Madge's side, confidently asserting "Elizabeth II - Queen of Gibraltar" which as technically true as it may be, made her scope sound a lot titchier, provincial and even moreso diminished than the worst fears of any good Empire-missing Briton might suffer.
* Conveniently, they're the old-style £1 coins, so utterly useless back in Blighty, except for buying condoms, lube or plastic sex-toys in motorway service stations, which I believe to be the only vendors still accepting them (not that I've tried, I simply read a notice one onesuch machine as I dried my hands at a service station, last time I drove down the M1)
-
Tuesday 7th January 2020 17:24 GMT gazthejourno
Gib.gov's press office sends its missives out under the name "No.6 Press Office Mailbox". It took me a few minutes to realise that, far from having six separate email addresses, the Gibraltarian government is actually based at No.6 Convent Place, GX11 1AA.
I assume it's a pleasingly parochial reference to 10 Downing Street.
-
-
Wednesday 8th January 2020 13:20 GMT adam payne
The spokesman continued: "It should also be noted that the Government of Gibraltar website is hosted outside our corporate network and therefore the earlier vulnerabilities posed no risk to the security of the government's communication systems.
Good to know but that's not really the point is it.
-
Wednesday 8th January 2020 15:48 GMT Anonymous Coward
When the prosecutor confirms that the law really does name me specifically as having immunity for this specific offence, I shall also provide this statement comfirming the integrity of the communication containing the countries ratified and in force laws that were received from the official government servers.
-
Friday 10th January 2020 00:19 GMT Kiwi
Good to know but that's not really the point is it.
There was a book some years back (title relating to a Cuckoo's egg or similar IIRC) that talked at length about someone who had, in the early days of the internet, been running rampant on uni and military servers due to that wonderful human foible of credential re-use.
Although I'm absolutely certain no-one involved in this story would ever have used the same creds across multiple servers, no not a chance. Especially not some wanna-be site-admin full of his own sense of the success of his roll-your-own password security!
[oblig XKCD (and an idea I once wondered about using myself with BBS's back in the 90s :) )]
-