The Non-Defense Department

["Paul Ferguson" <fergdawg () netzero net>]

Via eWeek.

[snip]

On July 18, Sunbelt Software came across a SQL command passed as a query within a URL belonging to an arm of a European 
country's military. With that, any visitor can pass queries in the URL straight to the back-end database and squeeze 
out any data, no password required.

At the time, the URL displayed what Sunbelt President Alex Eckelberry calls an "infantile" security screw-up: Namely, 
putting production code and a back-end database into the hands of anybody who wanders by. It was, in other words, a 
serious security vulnerability that even the most basic security policy should have forbidden, never mind the security 
policy of a major defense agency.

Sunbelt, of Clearwater, Fla., alerted security researchers from the country in question. They in turn assured Sunbelt 
that they would notify the defense agency.

End of story? Unfortunately not. Six weeks later, Sunbelt checked the site and found it was still a sitting duck, 
serving up military base information to any visitor who knows how to frame a SQL query, telling potential attackers 
exactly which database it was running and what operating system it was using, thereby painting a day-glow arrow toward 
the exact class of known vulnerabilities and exploits that could bring it to its knees.

[snip]

More:
http://www.eweek.com/article2/0,1759,2180443,00.asp

- ferg


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.