Drivers trying to book appointments to renew their licences in Gauteng are receiving an error from the National Traffic Information System (NaTIS) website.
Independent software contractor Tim Haak contacted MyBroadband about the issue after emailing the Road Traffic Management Corporation (RTMC) with the details on Tuesday.
Upon trying to book an appointment, NaTIS online presents an error message showing the URL dcapp08.enatis.co.za, followed by a hexadecimal-based unique identifier.
Haak, hoping to find a way to work around the error, fired up his browser’s developer console only to find that the NaTIS website was returning a JSON object with the full error details.
Included in the JSON was the SQL of the “insert” query to be executed on the website’s database, which reveals the structure of a table in the database.
Based on the information from the error message, Haak said the NaTIS website uses databinding – and would therefore not be vulnerable to an SQL injection attack.
However, this is the kind of behaviour attackers look for to gather information about a site that might help them compromise it.
“More importantly, it’s not an error that should ever be happening,” Haak said.
Rogan Dawes, a web application security specialist and assessment team leader at SensePost, confirmed Haak’s conclusions.
He said that the error is reported as a generic JDBCException, and at a higher level, a generic ActionExecutionException.
This should always be handled by the caller, while it has an opportunity to do something about the error within the current user and application context.
“At an even more generic level, all unhandled exceptions should result in a basic error page that doesn’t externally reveal any details of the underlying implementation, or in fact, the nature of the error in the first place,” Dawes said.
Dawes added that from a cursory look at the stack trace, you can deduce the table columns, that there is a form of auditing in place, and that the implementation is using Spring Framework with Hibernate on top of Oracle.
He said there will probably be more information that he’s overlooked at first glance, such their authentication framework.
“So, while this does not represent a direct compromise, it is a leak of internal implementation details that may assist an attacker in further attacks,” Dawes warned.
RTMC was asked for comment, but it did not respond by the time of publication.