Articles about Sql Injection

Google sticks anti-SQL injection vaccine into MySQL MariaDB fork

Google is dropping encryption into MariaDB, the fork of Oracle’s MySQL, to help shut out SQL injection attacks. Mountain View is credited with developing and testing tablespace encryption in MariaDB Server 10.1 - the community edition of MariaDB. The development has been branded a "major enhancement" for MariaDB security by …
Gavin Clarke, 09 Apr 2015

Drupal SQL injection nasty leaves sites 'wide open' to attack

A newly patched SQL injection flaw in Drupal leaves sites that rely on the widely used web development platform wide open to attack. Admins of sites that run Drupal 7 should upgrade to 7.32 to guard against possible attack. Patching needs to take place sooner rather than later because the easy-to-exploit vulnerability hands …
John Leyden, 16 Oct 2014
bug on keyboard

Joomla issues upgrade to patch critical SQL vuln

Joomla's developers have moved to fix a critical SQL injection vulnerability – but are coming under fire for taking a month to address the issue. The version 3.2.3 update, available since late last week, is described by Joomla as fixing a high priority core SQL injection bug (along with two medium priority XSS bugs and an …
The Register breaking news

Ruby on Rails has SQL injection vuln

The maintainers of Ruby on Rails are warning of an SQL injection vulnerability which affects all versions of the popular Web framework. They advise that users should immediately apply an upgrade available here. Designated CVE-2012-5664, the maintainers explain the bug this way: “Due to the way dynamic finders in Active Record …
The Register breaking news

PayPal plugs SQL injection hole, tosses $3k to bug-hunter

PayPal has fixed a security bug that could have allowed hackers to compromise the payment website's databases using an SQL injection attack. Researchers at Vulnerability Laboratory earned a $3,000 reward for discovering and reporting the critical bug to PayPal in August. An advisory sent to the Full Disclosure security mailing …
John Leyden, 30 Jan 2013
The Register breaking news

E-shopkeepers stabbed with SQL needles 'twice' as much as other sites

Retailers suffer twice as many SQL injection attacks on their systems as other industries, according to a new study by data-centre security firm Imperva, which claims the ferocity of web-based assaults is growing. The fourth annual edition of Imperva's Web Application Attack Report [PDF] also revealed that e-shopping …
John Leyden, 23 Jul 2013
The Register breaking news

MySQL.com hacked via... SQL injection vuln

MySQL.com was hacked over the weekend via an attack which used a blind SQL injection exploit to pull off the pawnage. Hackers extracted usernames and password hashes from the site, which were subsequently posted to pastebin.com. Any easy to guess login credentials could be easily extracted from this data using rainbow tables to …
John Leyden, 28 Mar 2011

Joomla Helpdesk Pro remote code exec vulns lead to server pwnage

Outpost24 researcher Kasper Bertelsen has warned of several vulnerabilities in Joomla's Helpdesk Pro which can lead to remote code execution on servers. The Helpdesk Pro Joomla extension allows users to categorise and log support tickets with managers who receive notifications. eBay, Heathrow Airport and the High Court of …
Darren Pauli, 22 Jul 2015
Breach

Hackers pop submarine cable operator Pacnet, probe internal networks

Submarine cable and data centre operator Pacnet was breached last month by hackers rummaging through its corporate network accessing emails and administration systems. Pacent was recently acquired by Australia's Telstra, which today disclosed the breach of a "critical server" and is now informing customers and regulators about …
Darren Pauli, 20 May 2015

GhostShell back from the other side with mass data dump

The GhostShell hacker group is back in the headlines with a more mass dumps of data from poorly-secured sites. While Symantec says there's no particular country or sector targeted in the latest campaign, the South China Morning Post says major Hong Kong universities are among the victims. “In keeping with its previous modus …

Possible Lizard Squad members claim hack of Oz travel insurer

Nearly 900,000 client records including names, addresses, and phone numbers have been stolen from travel insurer Aussie Travel Cover by a suspected member of the Lizard Squad hacking crew. The hacker released databases including those detailing customer policies and travel dates along with a list of partial credit card …
Darren Pauli, 20 Jan 2015
band_aid_patching_648

US National Vulnerability Database contained ... yup, an XSS vuln

The US National Vulnerability Database was itself left vulnerable to cross-site scripting last week. The NVD serves as a definitive source of information on CVE security flaws. The XSS vulnerability meant that a skilled hacker could present surfers with content from arbitrary third-party sites as if it came from the NVD itself …
John Leyden, 18 Jun 2015
Fawlty Towers

Watchdog bites hotel booking site: Over 3k card details slurped

Hotel booking website Worldview Limited has been fined £7,500 over a security breach involving its website that allowed hackers to swipe the full payment card details of some 3,814 customers. Sensitive data was accessed after the unidentified attacker exploited a SQL injection flaw in Worldview website to access the firm's …
John Leyden, 05 Nov 2014
Smilin' Marv

P0wned plug-in puts a million WordPress sites at risk of attack

Up to a million WordPress websites could be open to full compromise through a vulnerability in the WP-Slimstat plug-in, security bod Marc-Alexandre Montpas says. The weak key flaw can expose admin credentials; bad news for the folks who've downloaded the plug-in 1.3 million times. A patched version of the plug-in has been …
Darren Pauli, 26 Feb 2015
The MSN Santa (unconfirmed)

Cyber crims put feet up for Chrimbo: 2014's seasonal retail breaches fell

Shoppers flocked online for retail bargains during Black Friday and Cyber Monday 2014, but cyber criminals seemingly decided not to join the scrum. Despite a record-breaking surge in online shopping during late November’s online discount binge, cyber breaches actually fell, according to IBM. That’s the good news. The bad? …
Gavin Clarke, 07 Jan 2015
sap security vulnerabilities

Most SAP HANA installs poppable with default keys, hacker says

ERPScan technology boss Alexander Polyakov says default security settings are exposing passwords and root keys in SAP HANA to external attackers. Attackers can use universal default keys to decrypt encrypted passwords used by the in-memory, column-oriented, relational database management system. Polyakov says administrators are …
Darren Pauli, 19 Jun 2015
The Register breaking news

LizaMoon mass-injection attack reaches epidemic proportions

Malware writers are using website vulnerabilities to inject malicious scripts into thousands of websites as part of an ambitious attack ultimately designed to redirect surfers to a site pimping rogue anti-virus packages. The so-called LizaMoon mass-injection attack uses SQL injection trickery to inject a line of malicious code …
John Leyden, 31 Mar 2011
Flag China

Mass SQL injection hits English language websites

Thousands of websites in China have been booby trapped with code written to download Trojan software onto visitors who run vulnerable Windows PCs. Unlike earlier rounds of SQL injection attacks the latest assaults mostly target English language sites (predominantly sites hosted in China but with a .com suffix) and purposefully …
John Leyden, 21 May 2008
The Register breaking news

No secret to stopping XSS and SQL injection attacks

SQL injection attacks and cross-site scripting exploits just won't die. The most recent and high-profile incident was a mass webpage attack on more than 100,000 pages, which included victims as diverse as The Wall Street Journal, TomTom, and the UK's Strathclyde police. There was a teetering stack of exploits involved in this …
Matt Stephens, 23 Jun 2010

DRUPAL-OPCALYPSE! Devs say best assume your CMS is owned

Drupal websites that had not patched seven hours after the disclosure on a "highly critical" SQL injection (SQLi) hole disclosed on 15 October are essentially hosed, the content management tool's developers say. Attacks against the vulnerability (CVE-2014-3704) in version seven of the content management system began "hours" …
Darren Pauli, 30 Oct 2014
The Register breaking news

SQL injection taints BusinessWeek.com

Add BusinessWeek.com to the list of big-name sites felled by the mighty SQL injection attack. According to Sophos, the business news site has been infected with attack code that since sometime last week has been trying to install malware on the machines of those who visit the site. The attack affected hundreds of BusinessWeek. …
Dan Goodin, 16 Sep 2008
The Register breaking news

Next-gen SQL injection opens server door

A vulnerability estimated to affect more than 1 in 10 websites could go lethal with the finding that it can be used to reliably take complete control of the site's underlying server. Research to be presented at the Black Hat security conference in Amsterdam later this month will show how so-called SQL injection attacks open the …
Dan Goodin, 02 Apr 2009
Breach

2,285,295 Aussie logins nabbed in Russian password haul

More than two million unique login credentials for Australian internet users were stolen as part of the massive haul of 1.2 billion passwords by a Russian hacker outfit. Earlier this month Hold Security reported that Russian hackers under the group dubbed CyberVors amassed the largest ever cache of stolen website passwords …
Darren Pauli, 11 Aug 2014

BlackHat talk hibernated over 0-day in SAP's Afaria mobile manager

Updated Alexander Polyakov has been forced to withdraw a talk detailing dangerous vulnerabilities into SAP's mobile device management product Afaria scheduled to be given at BlackHat Asia Pacific this week. The prolific SAP hacker and chief technology officer of ERPScan says his talk was scuppered after SAP failed to patch the …
Darren Pauli, 24 Mar 2015
HP

Microsoft and HP tackle SQL-injection scourge

With successful attacks against websites reaching epidemic levels, Microsoft and HP have released a free set of tools that help developers check their web applications for the mistakes that leave them open to exploits that can steal sensitive information and harm visitors. The tools are designed to scan websites for …
Dan Goodin, 26 Jun 2008
FireEye image

FireEye patches OS, torpedos Exploit-DB disclosure

FireEye has patched a series of publicly-disclosed flaws in its operating system (FEOS) that facilitated man-in-the-middle attacks and command injection. The vulnerabilities released over June affected versions NX, EX, AX, FX, and CM of the FEOS and were patched in the first individual security bulletin for the system. The …
Darren Pauli, 10 Jul 2014

Bogus Firefox add-on FORCES WITLESS USERS to join vuln-hunting party

Cybercrooks have brewed up a botnet that uses a bogus Firefox add-on to scan the web for hackable websites. The so-called Advanced Power botnet runs SQL injection attacks on websites visited from infected machines. The malware, disguised as a legitimate add-on for Mozilla Firefox, found its way onto 12,500 systems, reports …
John Leyden, 17 Dec 2013

Symantec data centre security software has security holes

Security bod Stefan Viehböck has detailed holes in Symantec's data centre security platforms that the company plugged this week because they allowed hackers to gain privilege access to management servers. The patches fix holes in the management server for Symantec Critical System Protection (SCSP) 5.2.9 and its predecessor Data …
Darren Pauli, 23 Jan 2015
Pinterest security

I saved Pinterest's business and all I have to show for it is a t-shirt

Pinterest is gearing up a bug bounty programme which will pay security researchers to plug holes in the popular kittens'n'cupcakes site. The programme today launched in an early phase where researchers could report bugs through managed bounty service BugCrowd although cash rewards are not yet on offer. The digital scrapbook has …
Darren Pauli, 28 May 2014
Hacker baseball cap

Laurie Love investigation stretches to Australia, Sweden

Following the arrest of Laurie Love of Suffolk on charges that he gained unauthorised access to US government computers, it's emerged that he was working with co-conspirators in Australia and Sweden. According to the charges reported here yesterday, Love's twelve-month hacking spree included machines belonging to the US Army, …
Now you've done it...

Drupalgeddon megaflaw raises questions over CMS bods' crisis mgmt

The security world has been shocked to its foundations following ominous warnings that millions of Drupal websites that didn't apply a critical patch within hours of its release earlier this month should be regarded as hopelessly compromised. The maintainers of the Drupal content management system warned users that “automated …
John Leyden, 03 Nov 2014
Crime in Russia

Hacker crew nicks '1.2 billion passwords' – but WHERE did they all come from?

Updated Russian hackers have amassed the largest ever cache of stolen website passwords – 1.2 billion, it's claimed – by swiping, one way or another, sensitive data from poorly secured databases. A network of computers quietly hijacked by malware, and controlled from afar by the gang, identified more than 420,000 websites vulnerable to …
Darren Pauli, 05 Aug 2014
Google's XSS game

Google launches hacker game to train bug 'mercenaries'

Google wants to bring new blood into the security bug hunter community with a game launched to test developers' knowledge of cross site scripting (XSS) vulnerabilities. The XSS Game put devs through six games of increasing complexity that required successful attacks against mock vulnerable web applications. "The game is …
Darren Pauli, 30 May 2014

Racing Post escapes ICO fine after leaking info of 677K punters

UK sports-betting newspaper the Racing Post has received a stern warning – but not a fine – after it emerged that it had aired the private details of more than 677,000 customers as the result of a security breach last year. The October 2013 snafu resulted in the exposure of the names, addresses, passwords, dates of birth and …
John Leyden, 28 Aug 2014
The Register breaking news

Energy sector under increasing attack: DHS

The Department of Homeland Security, via its ICS-CERT group, is reporting growing attacks against critical infrastructure with the energy sector leading the way. Its most recent ICS-CERT Monitor report states that of more than 200 incidents it investigated between October 2012 and May 2013, 53 percent were in the energy sector. …
dayz arma II

Did hackers scoop source code from DayZ zombie game brains?

It's feared source code for the apocalyptic zombie game DayZ may have fallen into the hands of hackers after an alleged security breach at publisher Bohemia Interactive. Someone called DrWhat, apparently based in the UK, appears to have uploaded debugging data for the game's executable – specifically a program database file (PDB …
Darren Pauli, 13 May 2014
The Register breaking news

Symantec dismisses blind SQL hack claims

Symantec's website has been given the once-over by the same Romanian hacking group that exposed security problems with websites run by Kaspersky Lab, F-Secure and Bitdefender earlier this month. The hacker, Uno, claims that the document download centre section on Symantec's European site is vulnerable to a blind SQL Injection …
John Leyden, 20 Feb 2009
The Register breaking news

Microsoft rejects call to fix SQL password-exposure risk

Microsoft is butting heads with a company that provides software for database security over a weakness in SQL Server that can expose user passwords to anyone with administrative access to the program. Researchers at San Mateo, California-based Sentrigo warned Wednesday that the "significant vulnerability" is present in the 2000 …
Dan Goodin, 02 Sep 2009
Mind blown

80 PER CENT of app devs SUCK at securing your data, study finds

Developers are experts in spinning wonderfully-shiny, horribly-insecure apps, according to research from Aspect Security. Social media meeting buttons and go-live dates rate far higher with app developers than the need to ensure the security of private data. Worse, devs couldn't secure apps if they wanted to, according to the …
Darren Pauli, 23 Sep 2014
The Register breaking news

Under the microscope: The bug that caught PayPal with its pants down

Security researchers have published a more complete rundown of a recently patched SQL injection flaw on PayPal's website. The Vulnerability Laboratory research team received a $3,000 reward after discovering a remote SQL injection web vulnerability in the official PayPal GP+ Web Application Service. The critical flaw, which …
John Leyden, 15 Apr 2013

Xbox hackers snared US ARMY APACHE GUNSHIP ware - Feds

Hackers from the US, Canada and Australia have been arrested over a sting that took in the US Army, gaming companies and Microsoft. The Department of Justice accuses the alleged perps of copying software worth more than US$100m. The thieves pinched data and source code relating to then unreleased titles Call of Duty Modern …
Darren Pauli, 01 Oct 2014
Shot of a girl with a mask biking through Beijing

Web protection: A flu mask for the internet

The internet is no longer optional for organisations. It is where business lives. Unfortunately, it is also probably the worst neighbourhood on the planet, filled with cybercriminals, hacktivists, and corporate and state spies. And the internet is both the largest and the smallest neighbourhood. All of these people live just …
Robin Birtstone, 09 Mar 2015
Brute force

Gang behind '1.2 billion' megahack ransack is pwning our customers – hosting firm

Anecdotal evidence is emerging that the Russian botnet raiders behind the "biggest-ever" password theft have begun attacks against web services using stolen login credentials. The CyberVor gang is reported to have amassed a vast stockpile of compromised login credentials for "1.2 billion" accounts, Hold Security warned in August …
John Leyden, 02 Sep 2014

In dot we trust: If you keep to this 124-page security rulebook, you can own yourname.trust

NCC Group has published a set of security standards that you'll have to follow if you want to operate a .trust website. The company owns the rights to sell dot-trusts, and uploaded the 124-page policy document [PDF] earlier this month. It provides a technical rundown covering network security to secure DNS settings, and NCC …
Kieren McCarthy, 22 Oct 2014

Security seals clobbered ahead of Black Friday bonanza

This Black Friday, beware the shop with the security seal: researchers have shown that issuers of common good webkeeping seals of approval sometimes miss basic flaws, happily certify phishing sites and inadvertently function as a hackers' black book of vulnerable sites. The research examined the effectiveness of the top 10 …
Darren Pauli, 26 Nov 2014
security fail

Spy platform zero day exposes cops' wiretapped calls

National security boosters have just taken a kick to the ego, with revelations that hackers can access exactly the kind of wiretap kit they believe should be deployed in every ISP and telco around the world. The zero-day that's turned up in kit from New Jersey outfit NICE would give attackers access to wiretapped voice …
Darren Pauli, 29 May 2014
Hacker, Hoaxer, Whistleblower, Spy book cover

Don't count on antivirus software alone to keep your data safe

TJX hacking mastermind Albert Gonzalez scoffed at antivirus tools. He and his cohorts wrote malware specifically designed to evade their detection. One can imagine him laughing as his team of hackers broke into corporate networks using SQL injection attacks and gained administrative access. Then he probably guffawed, Bond …
Robin Birtstone, 09 Feb 2015
FBI badge and gun

UK man Lauri Love accused of hacking US Federal Reserve

The US government have laid more hacking charges against a Brit alleged to have hacked into the US Federal Reserve. Lauri Love, 28, of Stradishall, Suffolk, is charged with one count of computer hacking and a further charge of aggravated identify theft over an alleged attack on Federal Reserve computer systems between October …
John Leyden, 28 Feb 2014
The Register breaking news

Signatures no good at protecting databases, says Juniper

One of the most common forms of attack is the SQL injection, and although the vector is ancient and well-understood, it's notoriously difficult to defend against. Kevin Kennedy, senior director of product management for Juniper Networks' security business unit, is in Australia to demonstrate Juniper's latest shot at defeating …
The Register breaking news

They didn't predict that: Astrologers! blamed! after! Yahoo! hack!

Weaknesses in cloud security and third-party code allowed a hacker to compromise Yahoo! systems last month, according to an analysis of the purported breach. In December, an Egyptian nicknamed ViruS_HimA claimed he cracked the web giant's security systems, acquired full access to 12 databases and broke into an unspecified server …
John Leyden, 29 Jan 2013