Articles about Sql Injection

WordPress admin? Thinking of spending time with the family? Think again

The Dutch hacking community's Summer of Pwnage (SoP) has disclosed three vulnerabilities in WordPress plugins, including an XSS in the popular Ninja Forms. Since Ninja Forms claims more than 600,000 users, we'll start there: the now-fixed reflected XSS bug allows attackers to inject malicious JavaScript into the victim's …
Happy penguin, image via Shutterstock

Ubuntu forums hacked

Ubuntu maker Canonical says that its Linux distro's user forums have been hacked, and the usernames, IP addresses, and email addresses of roughly 2 million users have been swiped. Canonical CEO Jane Silber said no passwords were taken via an SQL injection attack, and that the miscreants did not appear to have accessed any …
Shaun Nichols, 15 Jul 2016

700,000 Muslim Match dating site private messages leaked online

Hackers have leaked the personal details of 150,000 users of the Muslim Match website after breaking into the niche dating portal. Almost 150,000 user credentials and profiles, as well as more than 700,000 private messages between users, were posted online. "These private messages cover a range of subjects from religious …
John Leyden, 01 Jul 2016
still_life_with_skull_cropped_648

Riverbed's NetProfiler, NetExpress virty appliances patched

Riverbed has pushed out an update to virtual security appliances, after Security-Assesment warned it they had multiple vulnerabilities. The report details SQL injection, command injection, privilege escalation, local file inclusion, cross-site scripting, account hijacks and hard-coded credentials affecting two Riverbed virtual …
Big Ben and Underground sign. Pic: Crown copyright/MoD

Telco bosses' salaries must take heat for cyber attacks, says MPs' TalkTalk enquiry

A Parliamentary inquiry into the TalkTalk hack has said that telco CEOs' salaries should be garnished if their firms' cyber security practices are lacking. The report by the Culture, Media and Sport Committee, titled Cyber Security: Protection of Personal Data Online was initiated last November as “an inquiry into cyber- …
Newsroom

Patch Joomla SecurityCheck

If you use the SecurityCheck security plug-in for Joomla, it's time for an upgrade. The ADEO Security Team posted cross-site scripting (XSS) and SQL injection vulnerabilities (with proof-of-concept) to Full Disclosure. Both of the vulnerabilities are only exploitable when the admin is logged into a Joomla site. The XSS …

Oracle eBusiness Suite has 'huge, massive, ginormous' pwn surface

Auscert Oracle has a 'huge, massive, ginormous' attack surface, according to one prolific and proven researcher who reckoned he gave up looking because there are too many vulns. The security tester (who requested anonymity because his presentation wasn't approved by his employer) for one of the biggest tech firms found 50 …
Darren Pauli, 01 Jun 2016

IBM warns of 'bug poachers' who exploit holes, steal info, demand big bucks

At least 30 companies have been hit in the past year by so-called "bug poaching," where hackers break into corporate servers, steal data, and then demand a fee for showing how it was done. The technique, spotted by IBM's Managed Security Services researchers, involves miscreants breaking into a corp's servers, typically using …
Iain Thomson, 01 Jun 2016
Prison

Insider trading hacker pleads guilty to p0wning press releases

A Ukrainian ne'er-do-well who broke into market computers for an insider trading scheme has entered a guilty plea in the US. The 28-year-old, Vadym Iermolovych, has put his hands up to three charges – conspiracy to commit wire fraud, conspiracy to commit computer hacking, and aggravated identity theft. The US Department of …

YouTube skiddie busted for hacking Country Liberal Party

A man from the Australian state of Victoria has been charged after stealing, using, and publishing credit cards of political party members using basic tricks he learned from YouTube. Aaron Warren Camm, 20, of Kangaroo Flat, learnt how to use the skiddie tool Havij to launch SQL injection attacks and applied the lessons in …
Darren Pauli, 16 May 2016
Furnace by https://www.flickr.com/photos/changeable_fate/ cc 2l0 attribution generic https://creativecommons.org/licenses/by/2.0/

Hackers tear shreds off Verizon's data breach report top 10 bug list

Information security boffins have pilloried Verizon's latest data breach report, suggesting its list of top security vulnerabilities do not represent reality. The 2016 Data Breach Investigations report [PDF] is Verizon's ninth in the series drawing on a wider pool of data including some 100,000 security incidents and 2260 data …
Darren Pauli, 12 May 2016

Researcher arrested after reporting pwnage hole in elections site

Vanguard Cybersecurity man David Levin was arrested after exploiting and disclosing SQL injection vulnerabilities that revealed admin credentials in the Lee County state elections website. The Florida Department of Law Enforcement says the 31-year-old Estero man hacked into Lee County state elections website on 19 December. …
Darren Pauli, 09 May 2016
SuperTim's bacon bounty sarnie

MIT launches campus lunch bug bounty

The Massachusetts Institute of Technology has joined the growing number of large organisations and agencies to offer a bug bounty. The program is in an experimental phase and is open to current MIT students and affiliates, and includes a limited number of domains. Those submitting severe bugs will have money dropped into MIT …
Darren Pauli, 26 Apr 2016
Facebook's Mark Zuckerberg, speaking at the 2015 F8 conference

'I hacked Facebook – and found someone had beaten me to it'

A bug bounty hunter compromises a Facebook staff server through a sloppy file-sharing webapp – and finds someone's already beaten him to it by backdooring the machine. The pseudo-anonymous penetration tester Orange Tsai, who works for Taiwan-based outfit Devcore, banked $10,000 from Facebook in February for successfully …
Chris Williams, 22 Apr 2016
fail_parking_meter_648

SQL injection vuln found at Panama Papers firm Mossack Fonseca

Grey hat security researchers have discovered new flaws in the systems of Panama leak firm Mossack Fonseca. A self-styled “underground researcher” claims to have found a SQL injection flaw on one of the corporate systems of the Panamanian lawyers. “They updated the new payment CMS, but forgot to lock the directory /onion/,” …
John Leyden, 11 Apr 2016
Water Treatment Centre pipe sluices off water. Photo by Joe Jungmann, released into the public domain

Water treatment plant hacked, chemical mix changed for tap supplies

Hackers infiltrated a water utility’s control system and changed the levels of chemicals being used to treat tap water, we're told. The cyber-attack is documented in this month’s IT security breach report (available here, registration required) from Verizon Security Solutions. The utility in question is referred to using a …
John Leyden, 24 Mar 2016
Asleep on the sofa image via Shutterstock

Symantec warns of serious security holes – in Symantec security kit

Symantec is advising users of its Endpoint Protection (SEP) software to update their systems, after three vulnerabilities were reported in the computer defense tools. Two of the bugs – a cross-site scripting (XSS) flaw, and a SQL injection vulnerability – are in the SEP Management Console, a web-based portal you can log into …
Shaun Nichols, 18 Mar 2016
Hacker with face obscured, wearing a hoodie,  works in front of a bank of monitors. photo by Shutterstock

Is this Romanian man really 'GhostShell'? If so, he risks arrest

Members of the security community are nonplussed by claims that a Romanian hacker “GhostShell” has seemingly risked arrest by doxxing himself in a bid to get a job in information security. The man claiming to be a one-time Anonymous-affiliated hacktivist avoided identification and arrest for four years before apparently outing …
John Leyden, 15 Mar 2016

You know how we're all supposed to automate now? Dark web devs were listening

RSA 2016 Security researchers have thrown the spotlight on a popular cybercrime tool that’s used by crooks to automate the process of taking over accounts on major websites before making fraudulent purchases. Sentry MBA, which is readily available for purchase on the so-called dark web, offer a way to break into accounts via a point- …
John Leyden, 02 Mar 2016

You're a cybercrime kingpin. You need a new evil lackey. How much do you tell them?

RSA 2016 Cybercrooks, much like ethical security defenders, are facing a skills crisis and difficulties in recruiting qualified staff. Their attempts to bring workers into criminal organisations leave it possible for experts to learn more about their strategies and tactics, according to new research from threat intelligence firm Digital …
John Leyden, 01 Mar 2016

'I bet Russian hackers weren't expecting their target to suck so epically hard as this'

Line Break Welcome back to Line Break, our weekly column of terrible code our readers have encountered in the wild. So far we've featured astonishingly brain-dead designs in production and amusing code from yesteryear machines. Our emphasis has been on learning through others' mistakes while also brightening drab Wednesday mornings with …
Chris Williams, 24 Feb 2016
Indian riot

Cricket can get nasty: India v Pakistan rivalry boils over into cyber-war

The continuing rivalry between India and Pakistan has spilled over into cyberspace, with activity peaking around nationalist holidays and sports fixtures. A study of recent real-world events and hacktivist operations by threat intelligence firm Recorded Future highlights the varied motives behind online malfeasance. Events …
John Leyden, 11 Feb 2016
Blackhat

Russian ATM-popping gang used nation state cybercrook tactics

Cybercrooks are increasingly adopting tactics from more advanced hackers in order to steal millions of dollars from banks and other financial institutions. The first of the two cybercrime groups, dubbed Metel, are mostly active in Russia. The group’s typical modus operandi involves gaining control over machines inside a bank …
John Leyden, 09 Feb 2016

Security? We haven't heard of it, says hacker magnet VTech

Insecure kiddie-IoT-tat merchant VTech has decided its insecurity is its users' fault. As noted by developer-blogger Troy Hunt, VTech has updated its terms and conditions after its brain-dead security practices led to the leaking of its customers' personal information. In particular, Hunt notes, there's this: YOU ACKNOWLEDGE …

Asda slammed for letting vulns fester on its cyber shelves

Supermarket chain Asda has come under fire for sitting on a potentially serious set of web vulnerabilities on its website for almost two years. As first reported by The Register on Monday, UK security consultant Paul Moore warned Asda about a shopping list of online vulnerabilities in March 2014. Asda upped the grade of its …
John Leyden, 21 Jan 2016
Asda Recycling Site, Belvedere On Crabtree Manorway North. Copyright David Anstiss and licensed for reuse under this CC 2.0

Shop online at Asda? Website vuln created account hijack risk

Updated Retailer Asda dragged its heels for nearly two years before finally this week tackling a set of security vulnerabilities reported to it by a UK consultant. Asda has acknowledged the flaws - which Paul Moore, who discovered them, argues offer up an account hijack risk - but played down their significance. Moore told El Reg …
John Leyden, 19 Jan 2016

Drupal uncrosses fingers, promises secured patching

Drupal is switching to secured channels for updating its content management system, after IOActive security bod Fernando Arnaboldi reported it sought patches in the clear. More than a million sites use the popular content management system, making it a significant target for hackers. The vulnerabilities are not earth- …
Darren Pauli, 12 Jan 2016
Hammer, spanner and screw

Say oops, UPSERT your head: PostgreSQL version 9.5 has landed

PostgreSQL has pitched its latest release with a cheeky dig at MySQL as a "legacy" database. Version 9.5 of PostgreSQL adds a feature called UPSERT – INSERT, ON CONFLICT UPDATE – which it says removes the last barrier for MySQL users to migrate. The feature targets web and mobile environments, by handling conflicts between …

'You're updated!' Drupal says, with fingers crossed behind back

Drupal installations could be out of date and open to attack thanks to a borked update process that flags unpatched platforms as current. The popular content management system is used by more than a million sites making it a significant target for hackers. Indeed, in October 2014 attackers took mere hours to compromise untold …
Darren Pauli, 07 Jan 2016

Hacktivist pranksters stick it to the European Space Agency

Elements of Anonymous have taken time off from fighting adherents of Daesh (the so-called Islamic State) and trolling Donald Trump to attack the European Space Agency. Hacktivists dumped a schema of the ESA website (esa.int), along with data about registered users, collaborators, and subscribers, after hacking into the space …
John Leyden, 15 Dec 2015

Infosec bods rate app languages; find Java 'king', put PHP in bin

Java applications have been found to have many fewer common vulnerabilities than those coded using web scripting language. Less than a quarter of Java apps sport sporting SQL injection vulnerabilities, compared to more than three quarters of those written in PHP. So says Veracode's new State of Software Security report (PDF …
Darren Pauli, 04 Dec 2015

Mr Grey, the Russian hacker who helped haul in 1.2 billion logins

The FBI has linked a hacker said to be in part behind the plundering of 1.2 billion credentials from some 420,000 websites to the handle "Mr Grey". The hack as reported by The Registercould be one of the biggest data theft hauls in history. The US agency linked the hacker to the handle using open source data including email …
Darren Pauli, 27 Nov 2015
Oil Pump Jack by https://www.flickr.com/photos/paul_lowry/  cc 2.0 attribution

Mixing ERP and production systems: Oil industry at risk, say infosec bods

Black Hat Europe Hackers might be able to bridge the gap between supposedly air-gapped systems in oil and gas production by pivoting from enterprise planning onto production systems. Vulnerabilities and insecure installations in SAP business software and other enterprise systems might be used to interfere with loosely-couple but nonetheless …
John Leyden, 18 Nov 2015

TalkTalk hired BAE Systems' infosec bods before THAT hack

Contrary to suggestions that TalkTalk hired BAE Systems to shore up its security after the much-publicised hack in October, the telco had actually been outsourcing its security operations centre to BAE since June – and previously told investors it had "completed" a security audit. In its annual report, published in June, …
Injection image via shutterstock

NoSQL: Injection vaccination for a new generation

We are becoming more and more accustomed to reading about losses of online data through malicious hack attacks, accidents, and downright carelessness – it’s almost as if we don’t know how to secure data against the most common forms of attack. Of course, that isn’t really true as best practice, legislation, and education on …
Andrew Cobley, 13 Nov 2015

Password reset invoked after vBulletin.com forum software site defaced

The official website of vBulletin.com forum software has hit the big red password reset following a breach by hackers that exposed the IDs of hundreds of thousands of users. A hacker claimed the had made off with a combined 480,000 records after an attack that led to the defacement of the vBulletin.com and a reported hack …
John Leyden, 03 Nov 2015

Here's how TalkTalk ducked and dived over THAT gigantic hack

Timeline It has been almost two weeks since the "cyber attack" on the TalkTalk website of 21 October, yet the company is yet to tell its customers how their data was compromised. TalkTalk's CEO Dido Harding has yet to offer anything more than a token apology regarding the company's security practices, which allowed more than a million …

TalkTalk attack: Lad, 15, cuffed by UK cyber-cops

A 15-year-old boy has been arrested by police probing the hacking of Brit ISP TalkTalk. The internet provider admitted on Thursday last week that someone had waged "a significant and sustained cyberattack," upon its website, and potentially swiped copies of sensitive information on four million subscribers. This info could …
Chris Williams, 26 Oct 2015

Further confusion at TalkTalk claims it was hit by 'sequential attack'

TalkTalk is continuing to confuse experts with its latest assessment of the root cause of a high profile breach on its systems last week, which may have exposed the bank details including bank information of up to four million customers. The under-fire telco is saying that it has become the victim of a “sequential attack” when …
John Leyden, 26 Oct 2015
Two upended shopping trolleys in an alleyway. Photo by Cyron, licensecd under CC 2.0

Joomla patches critical core shop-pwning flaw

Popular content management system (CMS) Joomla has pushed three patches, including a critical fix for SQL injection vulnerabilities that allow attackers to become admins on most customer websites. The team issued fix 3.4.5 addressing the SQLi vulnerabilities (CVE-2015-7297, CVE-2015-7857, CVE-2015-7858) which exist in version …
Darren Pauli, 23 Oct 2015

Now it's the security industry's turn to be burned by cloud

Amazon has launched web application firewall to help customers guard against common web exploits. The web attic touts the service as a means to ink custom rules to block attack patterns like SQL injection and cross-site scripting and offering the ability to quickly deploy application rules. Rules can be set based on IP …
Team Register, 07 Oct 2015
Rat

Insult to injury: Researcher remote pwns RAT of cuffed FireEye VXer

Derbycon: PhishMe researcher Paul Burbage has added insult to injury for a former FireEye intern cum arrested VXer by showcasing how to thoroughly pwn his remote access trojan. The Dendroid RAT sold for $300 on defunct hacker forum Darkode, which was scuppered in international federal police raids in which author Morgan …
Darren Pauli, 28 Sep 2015
SOURCE: http://www.sxc.hu/photo/959469

Heartland hack: Russian bloke coughs to role in 160m credit card theft

The US Department of Justice says a Russian national, Vladimir Drinkman, has just coughed to being part of a ring that compromised as many as 160 million credit cards two years ago. Drinkman was one of five people charged in 2013 over the mass breach, in which they breached card security at names like NASDAQ, 7-Eleven, and Dow …

Jailbreaking pirates popped in world's largest iCloud raid – 225,000 accounts hit

The largest Apple iCloud raid in history has seen nearly a quarter of a million accounts compromised by malware targeting app pirates. The hack spree, affecting at least 225,000 valid Apple cloud accounts, is hitting jailbroken iThings – devices that have had Cupertino's strict device security controls bypassed and disabled. …
Darren Pauli, 31 Aug 2015

The Onion Router is being cut up and making security pros cry

IBM is warning corporates to start blocking TOR services from their networks, citing rising use of the encrypted network to deliver payloads like ransomware. The advice comes in the company's latest X-Force research team report (PDF). IBM claims there were around 180,000 malicious traffic “events” in the USA between January 1 …
Marc Benioff of Salesforce. Pic: Techcrunch

Salesforce plugs silly website XSS hole, hopes nobody spotted it

A cross-site scripting (XSS) vulnerability on Salesforce's website might have been abused to pimp phishing attacks or hijack user accounts. Fortunately the bug has been resolved, apparently before it caused any harm. Cloud app and security firm Elastica said the issue affected a Salesforce sub-domain – admin.salesforce.com …
John Leyden, 14 Aug 2015

SEC: Ukrainian hackers' investment fraud ring raked in millions in 'unprecedented' hack

Analysis The computer hacking and securities fraud ring that was broken up by US authorities this week was "one of the most intricate and sophisticated trading rings that we have ever seen," the US Securities and Exchange Commission has said. Some 32 people were charged on Monday with offenses related to the scheme, which the SEC …
Neil McAllister, 14 Aug 2015

Wordpress issues second urgent patch in two weeks

Weary Wordpress worker-bees are being asked to hit the "Update" button again. Just a couple of weeks after an XSS vulnerability forced a July 24th call to upgrade to Wordpress 4.2.3, a handy collection of vulns mean it's time to run in version 4.2.4. At least Wordpress has an easy upgrade mechanism. The new vulnerabilities …

Joomla Helpdesk Pro remote code exec vulns lead to server pwnage

Outpost24 researcher Kasper Bertelsen has warned of several vulnerabilities in Joomla's Helpdesk Pro which can lead to remote code execution on servers. The Helpdesk Pro Joomla extension allows users to categorise and log support tickets with managers who receive notifications. eBay, Heathrow Airport and the High Court of …
Darren Pauli, 22 Jul 2015

GhostShell back from the other side with mass data dump

The GhostShell hacker group is back in the headlines with a more mass dumps of data from poorly-secured sites. While Symantec says there's no particular country or sector targeted in the latest campaign, the South China Morning Post says major Hong Kong universities are among the victims. “In keeping with its previous modus …