My Boss.. And Security don't go together
-
So, apparently some people wanted to be able to work from home without using their county issued laptop, which IMO is a big no-no in the first place. none of that data should ever see a computer not owned by us. But, anyway my boss the system admin said that was fine and they also said they need a feature to email using our No-reply email address which I think the web guy we have has done somewhere internally. Anyway, this form he has all it does is uses php send mail with smtp and uses the noreply email and password to send mail using the actual domain email. it has a send to box, message box. and a password text which they made the password just 'ok'. the put this up on our public facing website, and think this is fine, because no link is made to it so it's secure. SMH.
Next they want to implement our robo calls control via this page too (publicly) while still using the 'ok' password and allowing them to enter any phone # to send it to.
Yeah, they are great at caring around security.
-
Lol. That's a disaster waiting to happen.
-
@scottalanmiller especially now they just decided to link to it but they say you have to know the url to get their so it's fine the chances of someone stumbling it are very very rare according to our Systems Administrator, and there no REAL damage from people email/calling others.. Sure.
They made a new menu on the public website under ourstie.org(gov)/staff so yeah that's so hard for someone to find.
I also think because it's just php code, no validation against a database or anything it would be pretty easy to inject code. Not only to bypass the password but, to mass spam e-mails/calls.
-
You could find yourself with a huge phone bill.
Good luck!
-
@Dashrender that's where people get surprised. Phone hijacking is very common.
