homepage Welcome to WebmasterWorld Guest from 54.166.113.249
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Pubcon Platinum Sponsor 2014
Home / Forums Index / Local / Foo
Forum Library, Charter, Moderators: incrediBILL & lawman

Foo Forum

    
Does security matter?
100k websites with SQL injection for years - no hacks
graeme_p

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 4627685 posted 4:15 am on Dec 4, 2013 (gmt 0)

Putting this in Foo because it does not seem to fit in anywhere else.

[samsclass.info ]

TL;DR version: A fairly large vendor leaves SQL injection vulnerabilities in about 100,000 websites. A security researcher notices, and alerts the vendor and a few of the largest affected sites. The vendor gets upset that the sites were notified. Researcher then finds out vulnerability was made public in 2010.

There have been no hacks of these websites.

So neither the vendor not their clients care about security, leave a vulnerability open for years and NOTHING HAPPENS.

 

Kendo

5+ Year Member



 
Msg#: 4627685 posted 11:55 pm on Dec 4, 2013 (gmt 0)

One of our data centers was contacted and sent a vulnerabilty test report on a client site. The data center took our server offline without contacting us... probably because they had not updated their contact details since we restructured. In fact our mail server became theirs when we migrated internet customers to their service so why didn't they have the new contact info on record.

Well they misread the report completely which was actually from tests using a vulnerability scanner and the sender's intention was to disrupt services provided to an online college in Malaysia.

It was nothing more than a report and if anyone has ever used such vulnerability software then they will know that no site passes those tests. Also, no sites on that server have ever been exploited.

Luckily we noticed the server offline and followed it up. But suffering references to our owned server as a "spammy service" by staff who cannot read properly or don't know the differenece between spam and SQL injection tests left us wanting to find an alternative data center.

So when one refers to "SQL injection vulnerabilities" and in the same breadth that "there have been no hacks of these websites"... just what is the fuss?

graeme_p

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 4627685 posted 2:02 pm on Dec 5, 2013 (gmt 0)

This is rather different - the vulnerabilities did exist, and were easy to exploit.

Also, the data centre seems negligent in taking a server offline. All that happened in this case was that the site owners and the vendor were warned.

What puzzles me is why a vulnerability like this was not exploited.

Frank_Rizzo

WebmasterWorld Senior Member 10+ Year Member



 
Msg#: 4627685 posted 3:51 pm on Dec 5, 2013 (gmt 0)

How do you know they have not been exploited?

Just because no script kiddie has posted screen shots does not mean the site's data and code has not been taken.

East and West governments, spammers, identity theives, advertisers could have all be exploiting those sites and taking data.

A thief noticing an unlocked door, and an unlocked till with no security features will return again and again to take money from the till. He will not boast about it.

[edited by: Frank_Rizzo at 3:51 pm (utc) on Dec 5, 2013]

bwnbwn

WebmasterWorld Senior Member bwnbwn us a WebmasterWorld Top Contributor of All Time 5+ Year Member



 
Msg#: 4627685 posted 3:51 pm on Dec 5, 2013 (gmt 0)

They may have been. Hackers are getting very sneaking in the way they try to infect a user now.
I was asked to look at a website to see why is had tanked.

It is an identify theft protection service.

Looking through the site all of a sudden I am alerted to a Trojan download. It seems the attacker has the download set to not download until a number of pages have been viewed, probably has the Google Bot blocked from the exploit and the owners IP as well blocked.

Now I have to run an scan to make sure noting got through, and reframe from any passwords etc until it is done.

graeme_p

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 4627685 posted 1:55 pm on Dec 8, 2013 (gmt 0)

Good point - but I suspect a lot of site owners do not care if they cannot see the effects.

At any rate, no site owner seems have had a problem that bothered them - and over a 100,000 sites were left vulnerable for years.

piatkow

WebmasterWorld Senior Member piatkow us a WebmasterWorld Top Contributor of All Time 5+ Year Member



 
Msg#: 4627685 posted 6:15 pm on Dec 8, 2013 (gmt 0)


What puzzles me is why a vulnerability like this was not exploited.

Over 60 plus years of life I have left doors unlocked without being burgled on a few occasions. Vulnerabilities are not always exploited.

graeme_p

WebmasterWorld Senior Member 5+ Year Member



 
Msg#: 4627685 posted 6:47 am on Dec 9, 2013 (gmt 0)

Yes, but you did not leave the doors to 100,000 houses unlocked for several years, and publicise the fact!

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Local / Foo
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved