Friday, September 07, 2007

The Non-Defense Department

Lisa Vaas writes on eWeek:

On July 18, Sunbelt Software came across a SQL command passed as a query within a URL belonging to an arm of a European country's military. With that, any visitor can pass queries in the URL straight to the back-end database and squeeze out any data, no password required.

At the time, the URL displayed what Sunbelt President Alex Eckelberry calls an "infantile" security screw-up: Namely, putting production code and a back-end database into the hands of anybody who wanders by. It was, in other words, a serious security vulnerability that even the most basic security policy should have forbidden, never mind the security policy of a major defense agency.

Sunbelt, of Clearwater, Fla., alerted security researchers from the country in question. They in turn assured Sunbelt that they would notify the defense agency.

End of story? Unfortunately not. Six weeks later, Sunbelt checked the site and found it was still a sitting duck, serving up military base information to any visitor who knows how to frame a SQL query, telling potential attackers exactly which database it was running and what operating system it was using, thereby painting a day-glow arrow toward the exact class of known vulnerabilities and exploits that could bring it to its knees.

More here.

0 Comments:

Post a Comment

<< Home