Original post (02/01/2002) <Cut Here------------------------ Blue Boar: Hi. This post is similart to DeveloperStore... Ok. I post this to alert people, people must see how companies handle security and to educate people too. I think you do a great job alerting microsoft last time, it would have been nice to me get the same attention of microsoft. Now i have found this, i contact pgp.com but i don't get any response and the hole still exist. Maybe you want to contact and alert them. I use resources that i have to make contact. I can't afford an internation telephone call. It's up to you decide what to do with this post. It will be right any kind of action you take. Thanks. Regards. ---------------0-------------Cut Here---> Pgp.com selling security, showing insecurity. Description: A hole in a script page in pgp.com, allow the ejecution of arbitrary sql commands. http://www.pgp.com/naicommon/partners/tsp-seek/latam/resellers/resellers.asp?Country=')%20%20union%20all%20select%201,2,3,4,5,srvname,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22%20from%20master.dbo.sysservers-- If this exists it maybe have little brothers. This occurs for lack of input validation... I think no more explain is necesary. I filled last thursday (01/24/2002) this form : http://www.pgp.com/aboutus/contactus/report.asp I didn't check the field "I do not require a response." then i submited and this message was displayed: Report a problem Thank you. Your suggestion has been sent. We try our best to respond within 3 business days. Today (02/01/2002) i'm still waiting for a response or the hole fixed. When i was constructing the sample exploit url (01/29/2002) , i hope to fire some IDS, Database alarms, in order they saw it and fix the problem but i had no luck. I raised almost 30 errors and no alarm was fired, i think. Or maybe alarms were fired but anybody check them. Conclusions: This company has a lot of work to do in securing their sites. It seems that there aren't IDS or ...nothing. So any hacker it's free to play in their sites without being caught. This is an example of a company that say : "Do what i Say, not what i Do." I don't remember what the last "P" stand for? Maybe Privacy? ------------------------0-------------------------- What happens: Blue Boar deny the post,he told me that he have contacted someone at NAI and he was going to prod them for a couple of business day and then he will ask me to repost. I Agreed and waited. Everyday i checked and the hole was still there until yestarday that the sample link didn't work but i get an sql error message, at first i was confused because if they have changed the script they must fixed it, but instead of fixed it they trick the script to filter some characteres but i could exploit the hole anyway. The script filtered the next chars "--","=",";" and others. So the sample link get an error, but they didn't filter "'","like","(",")" and others so the hole could be exploited again : http://www.pgp.com/naicommon/partners/tsp-seek/latam/resellers/resellers.asp?Country=')%20union%20all%20select%201,2,3,4,5,srvname,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22%20from%20master.dbo.sysservers%20where%20('1'%20like%20'1 I dont know why they did that maybe they whant to learn some sql inyection techniques (with the cost of expose their info!!!) or they want to chalenge me and catch me. (I let them some nice messages in the logs.) The hole was fixed today (02/06/2001) or lastnight very late. They havent contacted me. Nevermind, i know what to do next time. I want to ask you to think about this, because NAI is a security related company and i cant believe the way they handle security. ...Always helping the fools. Cesar Cerrudo. Parana, Entre Rios. Argentina. __________________________________________________ Do You Yahoo!? Send FREE Valentine eCards with Yahoo! Greetings! http://greetings.yahoo.com
This archive was generated by hypermail 2b30 : Wed Feb 06 2002 - 13:14:43 PST