Case report: Professional Designer

UAEpd aka “Professional Designer” (uaepd.net) is a company based in United Arab Emirates.  Description: “Professional designer company is specialized in information technology and development, hosting and create web sites”. UAEpd offers web-site scripts for companies. These scripts are based on a proprietary Content Management System (CMS) developed with php.

I tested three sites using this CMS during July. UAEpd apparently owns one of the tested sites: UAE Directory for Advertising and Shopping (uaedir.ae).

Test results: several SQL injection and reflected Cross-site Scripting (XSS) vulnerabilities were found. Related finding: passwords are stored using Base64 encoding.

Disclosure timeline:

  • July-31: vulnerability reports sent to UAEpd, uaedir.ae and two customer sites. No responses.
  • Aug-4: requested report delivery confirmation from UAEpd. No response.
  • Aug-9: vulnerability coordination support request sent to aeCERT (www.aecert.ae). No response.

Results of the re-test on Aug-25:

  • Two reported SQLi vulnerabilities in uaedir.ae have been fixed
  • One new SQLi issue in uaedir.ae was identified
  • XSS issue in uaedir.ae has not been fixed
  • SQLi vulnerabilities in two customers sites have not been fixed

I could write a full-disclosure report, but not sure if it is worth the effort. Cases like this are frustrating. Vendor does not reply, fixes only some of the reported issues and does not perform basic testing of their own code. The most frustrating part: vendor has not fixed the customer sites.

Leave a Reply

Your email address will not be published. Required fields are marked *