[ISN] United Nations Website Contains SQL Injection Flaws Three Years After Hack, Researcher Says

From: InfoSec News <alerts_at_private>
Date: Tue, 24 Aug 2010 02:53:43 -0500 (CDT)
http://www.darkreading.com/vulnerability_management/security/vulnerabilities/showArticle.jhtml?articleID=226900111

By Kelly Jackson Higgins
DarkReading
Aug 23, 2010 

Three years after the United Nations' website was defaced by activist 
hackers using a SQL injection attack, the site still contains multiple 
instances of these vulnerabilities.

Security researcher Robert Graham, CEO of Errata Security, did his 
now-annual checkup on the UN site and found that while the UN had 
removed the bug that was exploited in the August 2007 attack, the site 
is still rife with multiple SQL injection vulnerabilities.

In the 2007 defacement, attackers replaced then-Secretary General Ban 
Ki-Moon's speeches with some of their own calling for "peace forever" 
and "no war." The attackers exploited a SQL injection bug.

"In what's become a yearly blogpost, the UN still has not fixed the SQL 
injection problems that led to their website being hacked back in 2007," 
Graham blogged today. "For example, if you click on 'print this 
article', then use that URL instead, the SQL injection still works."

[...]


5B
_______________________________________________________      
Subscribe to InfoSec News - www.infosecnews.org
http://www.infosecnews.org/mailman/listinfo/isn
Received on Tue Aug 24 2010 - 00:53:43 PDT

This archive was generated by hypermail 2.2.0 : Tue Aug 24 2010 - 01:02:11 PDT