http://www.darkreading.com/database_security/security/app-security/showArticle.jhtml?articleID=220000005 By Kelly Jackson Higgins DarkReading Sept 11, 2009 A Romanian hacker well-known for discovering SQL injection vulnerabilities in high-profile Websites has struck again -- this time on RBS WorldPay's site, where he says he hit the jackpot, the company's database. The hacker, who goes by "Unu," says he accessed RBS WorldPay's database via a SQL injection flaw in one of its Web applications. RBS WorldPay maintains Unu accessed a test database that didn't carry any live data, and that no merchant or cardholder data accounts were compromised. The company has since taken down the pages. Unu says the company's response to his email warning of the vulnerability, as well as other security problems, was "unprofessional" and "confused." "If the parameter is not well-secured, besides the legitimate request from the database -- which is related to that parameter -- other applications data can insert," he says. "The vulnerable parameter allows full access to databases on [the] server." [...] ________________________________________ Please Donate to the Ron Santo Walk to Cure Diabetes with Ethan's Crew! http://www.c4i.org/ethan.htmlReceived on Mon Sep 14 2009 - 00:15:04 PDT
This archive was generated by hypermail 2.2.0 : Mon Sep 14 2009 - 03:42:07 PDT