Election Commission of Pakistan “Hacker Free” Website

flag(Sorry about the waving flag, couldn't resist the temptation). With nothing better to do, I just visited the Election Commission of Pakistan Election Results website (yes, that's the sequel (no pun intended) to the ecp.gov.pk state-of-the-art live voter database website that I wrote about here , the one that can't find me, thereby making me a dead voter)… and was refreshing the results page every couple of minutes, when I finally managed to come across the crash that my brother had mentioned a few minutes earlier. He had also mentioned that the site is extremely slow (he is sitting in Cambridge right now) but since our mehndi.com CEO promised us servers and bandwidth not found anywhere else on the planet, so I'm pretty sure it must be the UK ISPs that are too slow for the site.

Anyway, I digress… so here are the screenshots for your forehead slapping pleasure:

It seems that an Index was out of range… take a closer look… yep, the site is still running in debug mode, and the path to the files on the server are visible. ecp-dotnet-crash

And here's another screen-shot, a 'Parser Error' this time… Oops!

ecp-dotnet-crash2

The vsite in the url probably means they have multiple applications hosted on virtual servers. If you compare the Election Results website with this asp.net website, you will probably come to the conclusion that the talented developers (read interns @ 10,000 per month or less) weren't exactly familiar with either web design or the way ASP.NET membership/roles framework works, but were rescued by Google and were able to "borrow" and copy/paste from the example to save the day.

I wouldn't be too surprised if there are a half dozen SQL injection possibilities in there, or if the website has an /admin/ folder somewhere in the URL schema (as an 'admin' section is found in 90% of websites developed by our Pakistani programmers), or if there is some left-over code from the examples that will allow anyone to register and mess with the website.

10 years ago, one message on any Pakistani IRC channel would have been enough to take this website down, but at this point in time, I can only pray that the website stays online for the next couple of days so that the mehndi.com guys get their 10 hours of crash-free fame (I think they've already had their fortune delivered to them in Canada). I also hope that they find and fix the flaws before the site gets hit by hackers, and only because I don't want the rest of the world to have one more chance to laugh at us, we can do that job ourselves.

2 Comments

  1. Geez what idiots – and in all this mess they prefer to send the entire election database to some company in Canada who does not know how to run shit

    http://www.teeth.com.pk/blog/2008/01/06/pakistani-voter-list-sent-to-montreal-for-safe-keeping-with-mehndicom-founder/

  2. Pakistani Voter List sent to Montreal for ‘Safe Keeping’ with Mehndi.com founder…

    Thanks to KO and his investigation skills we have come across yet another fiasco that will haunt the government of Pakistan in the lead up to the elections.
    In the past few weeks the Election Commission of Pakistan had hired the services of a certain M…