[ISN] Giuliani campaign fixes dangerous flaw on new Web site

From: InfoSec News (alerts@private)
Date: Mon Mar 26 2007 - 22:55:38 PST


March 27, 2007

Republican presidential front-runner Rudy Giuliani's campaign hurriedly 
fixed its official website late Monday to remove a dangerous design flaw 
that could have allowed hackers to expose personal information submitted 
by volunteers.

The vulnerability affecting Giuliani's site, 
http://www.JoinRudy2008.com, could have exposed confidential information 
stored in the campaign's databases. The website failed to block commands 
that can instruct it to improperly display sensitive information, a 
popular hacking technique known as "structured query language 

The campaign fixed the website hours after The Associated Press notified 
it about the problem. No personal information was compromised, 
spokeswoman Maria Comella said.

"The site has multiple levels of security to detect intrusions and 
ensure no user's identity was put at risk," Comella said.

The campaign launched its new site last week. Giuliani described it in 
e-mails as "the place where any American can go to learn about my record 
and join our campaign" and urged supporters to tell their friends about 
the site.

Its privacy policy reassures Internet visitors that the Giuliani 
campaign "considers your privacy paramount, and we are dedicated to 
protecting your privacy on the Internet."

SQL injection vulnerabilities have been implicated in large-scale Web 
break-ins. The technique is among the most-critical Internet security 
vulnerabilities compiled by the SANS Institute, a cybersecurity research 
organisation, and is the subject of warnings by the U.S. Computer 
Emergency Readiness Team, part of the Homeland Security Department.

"Anybody who knows anything about security could have found these 
problems in two seconds," said Marc Maiffret of eEye Digital Security 
Inc., a researcher who examined Giuliani's website at AP's request.

The Federal Trade Commission sued Guess? Inc. in July 2003 over 
allegations it failed to protect consumers' personal and credit 
information because the fashion company's website was vulnerable to the 
same design flaw. The FTC's rules do not apply to presidential 
candidates, only companies, so there was no such legal exposure for the 
Giuliani campaign.

Giuliani's business firm, Giuliani Partners, offered cybersecurity 
consulting services under a partnership with Ernst & Young until about 

Copyright 2006 AP DIGITAL

Visit the InfoSec News Security Bookstore

This archive was generated by hypermail 2.1.3 : Mon Mar 26 2007 - 23:01:50 PST