Lagos Chamber of Commerce DB is open

Has anyone seen this? http://www.lagoschamber.com/directory.php
The entire company database for Lagos State Chanber of commerce is open for browsing.

Mod note: Edited url

Another one?
@lordbanks: um, I moved this to Cabal… Over to you

Why did you do that? The OP doesn’t have the same privilege. Are you planning on excluding them from a conversation they started?

EDIT: I surmise that you were trying to be helpful by “reporting” a suspicious thread. If you think there’s a problem with a thread, flagging it is sufficient to call the attention of a moderator.

Did I do something wrong?

I’m sorry sir. :pensive:
Trying to be helpful.

1 Like

No biggie, I was just alarmed.

@chris You’ve done nothing wrong, but the mods want to hide this thread. We generally don’t like to enable people who can take advantage of manifestly vulnerable platforms like the one you linked to. I hope this is alright?

@lordbanks Please what is a manifestly vulnerable platform? I have clicked on the link a couple of times already!

Yes. What’s manifestly vulnerable about the LCC’s public directory?

They even have a user-friendly search form - http://www.lagoschamber.com/directory.php

Don’t be alarmed, @lordbanks is a lawyer, so he is allowed to use some legalese big words :slight_smile: :slight_smile:

In simple terms, I think he means that some people might take “unlawful” advantage of the information and he doesn’t want Radar to be the platform where such will be encouraged.

In one word, he wants to be a good neighbour to LCC

I don’t see any obvious vulnerability. The site merely exposed public information of companies: names, emails, phone numbers, addresses. You can get same from Vconnect and other public directories.

@techscorpion & @Ndianabasi you’re both right that there’s a search function for what appears to be a public directory. Now you guys are the experts, so correct me if I’m wrong but does this directory not appear to be easy for scraping? I only say that because several results are displayed on a page, compared to say another public directory like ACCA, where you get one result per page.

To be clear, OP’s done nothing wrong. But then I guess it wasn’t clear what the intention of the post is and if there’s indeed a grey area, not sure we want to explore it. So what do you think?

BTW, why do people insist on giving out email addresses on public forums, by replacing . with dot, @ with at, etc? Any decent crawler will easily decode it and still scrape the emails. Seems futile to me but you guys are the experts…



@Chris,

Kindly confirm if the below is accurate:

I believe you are reffering to an sql-injection vulnerability via the link provided.

@lordbanks, @seyitaylor, @other-mods

Maybe Radar “needs”? or deserves a Responsible Disclosure category?

Am reffering to vulnerabilites affecting Nigerian centric web-applications etc.

To a dedicated automated scraper, there is very little difference between 1 and n results per page. The programmer’s work is definitely easier if you can get all the results by enumerating through the numbers in the original URL that OP pasted instead of using the search function.

However, I assume all the companies in the LCC database want to be discovered and since the information the LCC is providing is not sensitive and already in the public domain, I’m intrigued as to why the directory has been classified as a manifestly vulnerable platform.

Having said that, I didn’t run an SQL injection or similar vulnerability test on the URL, which if it applies, may explain the classification.

No intrigue. And we can defer to the opinion of experts. If you think our estimation of the risk is exaggerated, I’d appreciate an actionable opinion. Should we leave it alone or not?

I think the title is fine but the URL should be changed to

http://www.lagoschamber.com/directory.php

It is more functional than OP’s deep link, which pointed to a specific company.

As @Ndianabasi mentioned, there are no obvious vulnerabilities that may affect users or LCC adversely so it is my opinion that there is no immediate risk in publishing the link.

3 Likes