This report was fully disclosed on 29 July 2018

Summary

On 17 July 2018 Australia’s National Health Practitioner Ombudsman and Privacy Commissioner was reported to be misconfigured. Shortly after the article was published the initial issue had been resolved. Upon further investigation it was found that two backup files displayed in the previous directory listing were still publicly accessible.

Proof of Concept

119-82-150-91nhpopcgovdev-1461043056-complete-2016-04-26-16-31-54.zip and database-119-82-150-91nhpopcgovdev-1461043056.sql on the root of the website were still publicly accessible to anyone with the direct link to these files.

Inside these insecurely stored backup files a few things were found including but not limited too…

  • The website administrators password
  • The MySQL Database Name, Username and Password
  • All Settings, Posts and Content that is normally not accessible to the public / non-admin users
  • Improper use of the Wordpress Authentication Unique Keys and Salts configuration
  • Previous IP address of the website administrator
  • Backup files referenced earlier should be immediately deleted
  • Admin password should be changed
  • MYSQL password should be changed
  • If not already implemented Authentication Unique Keys and Salts should be randomized and changed

Remediation status

At the time of publishing this report the reported issue has been resolved.

Response From Affected Party

Response from [email protected]

Many thanks.

We have provided additional advice to the website administrator. I’m copying in the team who provided that to cross reference with yours.

I appreciate your contact.

Regards

Alastair

Response from [email protected]

Hi GlitchWitch,

Thank you for your email and contents.

It is very much appreciated given the attention we have received for misconfiguring the Commissioner’s website.

We have of course today as you will see deleted the archive and sql file together with removing all the dev, config, readme etc files from production.

All passwords have been reset including the MySql DB.

Again, thank you for your email and your help.

Kind Regards,

John Olah

Digital Engagement and Strategy Unit

Department of Health and Human Services

Timeline

  • 17 July 2018: Affected Party Notified
  • 18 July 2018: Affected Party Released Patch (+1 days)
  • 29 July 2018: Report Published (+12 days)