[ISN] U.S. Army Website Hacked

From: InfoSec News <alerts_at_private>
Date: Wed, 13 Jan 2010 00:53:35 -0600 (CST)
http://www.darkreading.com/database_security/security/app-security/showArticle.jhtml?articleID=222300588

By Kelly Jackson Higgins
DarkReading
Jan 12, 2010

Romanian hackers continue to have a field day with SQL injection flaws 
in major Website applications: A vulnerability in a U.S. Army Website 
that leaves the database wide open to an attacker has now been exposed.

"TinKode," a Romanian hacker who previously found holes in NASA's 
Website, has posted a proof-of-concept on his findings on a SQL 
injection vulnerability in an Army Website that handles military 
housing, Army Housing OneStop. TinKode found a hole that leaves the 
site, which has since been taken offline, vulnerable to a vulnerable to 
a SQL injection attack. "With this vulnerability I can see/extract all 
things from databases," he blogged.

TinKode was able to gain access to more than 75 databases on the server, 
according to his research, including potentially confidential Army data. 
He also discovered that the housing site was storing weak passwords in 
plain text. One password was AHOS, like the site's name.

"Four-character passwords that are the same name as the database table 
names are inexcusable," says Robert "RSnake" Hansen, founder of 
SecTheory.

[...]


________________________________________ 
Did a friend send you this? From now on, be the 
first to find out! Subscribe to InfoSec News 
http://www.infosecnews.org
Received on Tue Jan 12 2010 - 22:53:35 PST

This archive was generated by hypermail 2.2.0 : Tue Jan 12 2010 - 22:59:08 PST