Web Gadget

Security holes in SA's most expensive website

06 Mar 2013 by
| Filed in Web World
Security holes in SA's most expensive website

As a follow up on the Freestate WordPress website disaster article, LIRON SEGEV takes a closer look, thinking that since millions were paid, at the very least the website produced must have amazing content.


As a follow up on the Freestate WordPress website disaster article, LIRON SEGEV takes a closer look, thinking that since millions were paid, at the very least the website produced must have amazing content.

 

I was wrong. Just when you think it couldn’t possibly get any worse – it does.

 

Arthur Goldstuck, in his article on Gadget, reveals the line-item cost of each component of the tender which shows just how much the Freestate government spent on their site.

 

According to the article “The Free State Provincial Government comprises 11 departments, including the Office of the Premier. Along with the Metro, the first line item therefore comprises 12 sites, for a total cost of R4 200 000.”

 

Nicola Mawson reported on ITWeb that “the deal includes hosting and security from the State IT Agency (SITA).” This is according to Mondli Mvambi, Director of Media Strategy & Liaison the municipalities who confirms this in a letter.

 

So, it might not be pretty but at least it is secure right?

 

Wrong.

 

R4 200 000 = Office of the Premier site:

 

I looked at the Office of the Premier site and this too was created by the WordPress theme generator. This is no longer shocking but what is is that this site was created using WordPress version 3.3.1 (compared to the main site who is on version 3.4.1).

 

Surely this is not right. A quick search of the web reveals just how easily WordPress with this version can be exploited and poses many security risks.

 

It doesn’t end there. The balance of the departments are made up of a mix bag of WordPress themes of varying versions – all with exploits & vulnerabilities:

 

 

          •        Department of Agriculture & Rural Development

          •        Department of Education

          •        Department of Health

          •        Department of Cooperative Governance and Traditional Affairs

          •        Public Works

          •        Dept of Roads,Police,Transport

 

 

          •        Social Development

          •        Sports, Arts, Culture and Recreation

          •        Department of Treasury

 

 

          •        Economic Development, Tourism & Environmental Affairs

 

The only Department that is unknown is the Department of Human Settlements FS.

 

How can SITA “include hosting and security?”  I would ask for my money back from SITA.

 

R 1 600 000 for various entities

 

Next item on the tender list are the various entities. This section is made up four bodies of Free State Tourism Authority, Free State Gambling and Liquor Board, Free State Development Corporation and Centlec, the local electricity authority in Bloemfontein.

 

This had to have real value as it cost R1 600 000 so I was a bit surprised to find that none of these Entities are “clickable” when you select them from the top navigation menu.  

 

I then discovered that if you select Provincial Entities from the BLUE menu you get to access an entire 1 PAGE per entity. No I am not kidding.

 

As an example, this is what R200 000 buys you for the Gambling and Liquor Authority “site”

 

 

That is it. There is a line at the bottom that states: Visit our website to learn more about the Free State Gambling and Liquor Authority, our programmes and licensing processes. However nothing is click-able and there is no “website”.

 

In fact all the other entities also consist of “1 Page site” for R200 000 each and each one ends with the same line “Visit our website line” and none are click-able to any other site.

 

Arthur’s report goes on to say that in Phase Four  “Testing” was budgeted for specifying “R900 per hour x 10 persons”. Assuming, very conservatively, that three 8-hour days were allocated for testing, this would have amounted to a relatively humble R216 000. No ceiling was placed on this amount, however, and it could be ten times as high.

 

I guess that R900 per hour for testing doesn’t actually include TESTING as within a couple of clicks I found error pages, incomplete links and menu items that don’t work.

 

As an example: if you click on FEZILE DABI municipality from the top menu (we know that main menu doesn’t work) you do get a page which tells you the weather, but the images don’t load. There is a map that when you click on, you get error pages that expose even more information for any would-be-hacker such as the version and the operating system of the web hosting server – SITA is not doing such a great job in securing this site

 

 

 

Someone didn’t test so well. The good news is that according to Mondli Mvambi, Director: Media Strategy & Liaison the municipalities:

 

"The websites of municipalities will go live as and when existing contracts of municipalities terminate and municipalities transfer to the integrated project. Financial expenditure is not incurred in respect of the hosting, maintenance and update of sites that are not yet live."

 

I wonder what they paid for their current non-functioning mini websites?

 

If you fail to plan you plan to fail.

 

This kind of awesomeness in a site doesn’t just happen. It has to be planned. For this there is a bill for “planning the Free State government website was R9 550 000”.

I guess planning to have captions added to photos so we know what we are looking at or having the facility to inform us who is in the picture was just “out of scope” as the Gallery simply loads images. If you are planning on applying for a job, apparently there are plenty and no one has been able to fulfill any position since January 2012 as this is where the active job vacancies go back to.

 

 

Site Management

 

There are many references to “Content Generation and Management” which according to the tender document runs into millions of rand.  I am not sure who is managing the site, but it seems like they skipped the basics principle of site management. Site Comment Moderation is critical, especially on a government site, to prevent nutters and radicals from taking over the site. This has not happened here.  Anyone can post anything with no moderation at all including swearing, adverts and anything goes. Spammers are having a field day. So if you are looking for cheap Nike Shoes, head over to the one of the news items on the site and look at the comment section:

 

 

My favorite is someone who posted the words to Queen song:

 

 

In a twist of fate, under the Upcoming events, the Free State Provincial Budget Speech will be help on the 6th March (I am assuming this year). I am sure they will have lots to discuss.

 

To end, I would like to quote from the disclaimer on the site: The FSPG shall not be liable for any failure to respond. I couldn’t have said it better myself.

 

* Liron Segev is also known as The Techie Guy. You can read his blog at www.thetechieguy.com or follow him on Twitter on @Liron_Segev

 

* Follow Gadget on Twitter on @GadgetZA


 email this to a friend
 printer friendly version

 

Share the love

Digg This Article Delicious This Article Stumble Upon This Article Reddit This Article Technorati This Article Tweet This Article Google Bookmarks This Article Bookmark This Article Multi This Article Facebook This Article Link This Article Google Plus This Article

 

Comments on 'Security holes in SA's most expensive website'

Leave your comment




For security reasons, please enter the letters in the image to the left
in the box below; please note that the text is case sensitive.