Hospital Management System

1. // .c0mrade
2. // 6-16-12
3. // Hospital Management Systems
4. // https://www.twitter.com/officialcomrade
5.  
6. Hello, my minions. Let me start off by answering some questions.
7.  
8. Q: Why do you do what you do?
9. A: I'm not in it for treason or pedestrianizing millions around the world, I'm solely in it because Computer Security is the most fitful outlet for me. Nowadays, the Hacking community is motile. There's hundreds of group who are hostile and make freedom-ring by indulging in illegal matters and leaking information on Websites to industrialize themselves within the scene.
10.  
11. Q: Lets be clear, are you a White Hat or a Black Hat?
12. A: I'd consider myself a Grey Hat. I use to run around like Rambo with my underwear strapped to my back publicizing private information but that isn't the case now, it's a matter of taste, my friends. No matter what we do in this era, the Government will always look at us as some heavily-reigned criminals. I'm one who's swallowed that and accepted it. Thing is though, our Government is far more monomaniac then us. Think of it like that when you're in custody, my kids.
13.  
14. Let's go!
15.  
16. Amongst those affected include:
17.  
18. [+] www.durdans.com
19. [+] www.sunetra.org
20.  
21. [+] Security Issue => Hospital Management System
22. [+] Vulnerability => Software Vulnerability. Application setup is dreadful. Systematically, they gather together Hospital records and form it into one, easily accessible but hard to target because what's in the application itself, only the Administrator can see as nothing is remote and nothing is channeled throughout the stream.
23. [+] Risk Potential => Thousands of inpatients and outpatients affected. Payment and Billing info also at risk.
24. [+] Miscellaneous => I had access to the source code. I had a high-end when it came to exploiting it. I connected to the Software, studied it, and saw that it was making foreign connections outside its jurisdiction. Furthermore, I connected to it remotely using the username, "emp0001", and password, "admin" - w00t! root.
25.  
26. I've yet to report the matter to those who created the dreadful piece of software. I plan on calling them later this afternoon.
27.  
28. Pictures:
29.  
30. http://i46.tinypic.com/2qby68x.png
31. http://i46.tinypic.com/2i8vtzr.png
32.  
33. [+] Solution => The Data circuit can be defected even if you were to patch the Software Vulnerabilities. I'd recommend dismantling the Sub Connection it reads the data from and perhaps even making some mild changes to the hosting you've got. Application reads from Database => Pulls information that's requested => Attacker now has the ability to do whatever the fuck he wishes. Fix is mildly simple. Thanks!
34.  
35. // c0mrade
36. !https://www.twitter.com/officialcomrade
37. #out