Storage of personal data on the example of the traffic police site of the Chelyabinsk region
Unfortunately, this is another post about the leakiness and curvature of government websites.
The Traffic Police Department in the Chelyabinsk Region decided to go with the times and provide public services through its website - gibdd74.ru . And it turned out as always.
So. Hoping to get these same services go to the appropriate page. In addition to the “friendly” URL, she meets us with a list of these services:
In order to find out what the “State Technical Inspection of Vehicles” service is, click on the link and click “Sign up”. A marvelous beauty form will open to our eyes with fields already filled in by someone! The moments of stupor and bewilderment pass and we understand that we have the personal data of the last user who filled out this form:
')
In order to verify this, we fill in the form ourselves with left data. Follow the link again and see before us the form we have filled out. We do not believe our eyes and still hope for a browser glitch, all sorts of cookies, etc. But no, reader, in another browser will also.
A similar story with the registration of qualifying exams and the issuance of driver's licenses.
But that's not all. We overwrite the URL to apex / and get into the ORACLE login form.
As can be seen from this form, the UGIBDD site of the Chelyabinsk region uses a free version of the Oracle Express Edition DBMS, the license agreement (the link to it is ironically located to the right) which involves using this product only on the developers' computers.
“Why are we breaking?”
UPDATE: As it turned out, the web studio that developed the site of the UGIBDD of the Chelyabinsk region has nothing to do with the described bug. I apologize to the studio Lab.Net.
The Traffic Police Department in the Chelyabinsk Region decided to go with the times and provide public services through its website - gibdd74.ru . And it turned out as always.
So. Hoping to get these same services go to the appropriate page. In addition to the “friendly” URL, she meets us with a list of these services:
In order to find out what the “State Technical Inspection of Vehicles” service is, click on the link and click “Sign up”. A marvelous beauty form will open to our eyes with fields already filled in by someone! The moments of stupor and bewilderment pass and we understand that we have the personal data of the last user who filled out this form:
')
In order to verify this, we fill in the form ourselves with left data. Follow the link again and see before us the form we have filled out. We do not believe our eyes and still hope for a browser glitch, all sorts of cookies, etc. But no, reader, in another browser will also.
A similar story with the registration of qualifying exams and the issuance of driver's licenses.
But that's not all. We overwrite the URL to apex / and get into the ORACLE login form.
As can be seen from this form, the UGIBDD site of the Chelyabinsk region uses a free version of the Oracle Express Edition DBMS, the license agreement (the link to it is ironically located to the right) which involves using this product only on the developers' computers.
“Why are we breaking?”
UPDATE: As it turned out, the web studio that developed the site of the UGIBDD of the Chelyabinsk region has nothing to do with the described bug. I apologize to the studio Lab.Net.
Source: https://habr.com/ru/post/108493/
All Articles