|
|
Rubrik: World-wide News/Products & News This
is a Classic SQL Injection Vulnerability (22.04.08)
- Residents of Oklahoma State have reportedly been hit with the bad news that
tens of thousands of their names, social security numbers and allied data
were effectively available on the Web for around three years.
Anzeige
The
source of the problem, says Fredrick Lee, a software security researcher with
Fortify Software, the application vulnerability specialists is poor coding on
the state's Department of Corrections Web site. "This
is a classic SQL injection vulnerability," he said, adding that, in this
case, the security lapse could easily have been caught with a simple code
review. According
to Lee, had some form of automated analysis been part of the release
procedure for this Web site, the incident could have been avoided. "The
sad thing is that vulnerabilities like these indicate to attackers that other
related applications and organizations are probably vulnerable as well,"
he said. According
to newswire reports, anyone with a basic knowledge of SQL programming could
interpret the URL and other data returned by the Oklahoma DoC
Web site. Then, by
the simple process of amending the long URLs returned by the site, they could
retrieve tens of thousands of social security numbers and their allied data
from the site. For more
information on the (Fortify:
ra) |
||
|
