“WSJ online coverage of breaking news and current headlines from the U.S. and around the world. Top stories, photos, videos, detailed analysis” …and a big SQL Injection. A secured bad parameter allows access to databases on the server.
In the first picture we can see MySQL server version, available databases, as well as a very serious mistake. Not only is the website vulnerable to SQL injection but it also allows load_file to be executed making it very dangerous because with a little patience, the writable directory can be found and injection of malicious code we get command line access with Which we can do virtualy anything we want with the website: Upload phpshells, redirects, infection PAGES WITH TROJAN DROPPERS, even deface the whole website.
In the second picture we see a more serious problem. One of the users (ffi2009uk) is % the host and NOTHING in the password. This means that from any IP we can connect to MySQL server on his account without any password. Unbelievable !!!
In the next picture we have personal data, address, phone number of the members of the press.
The penultimate picture we can see how CEO members passwords are stored in clear text !!! The list of members whose password has been exposed is diverse, starting from presidents and executives of corporations to the senators.
We are not surprised nor that even the Admin password, the chief account is stored in clear text !!!
1 kommenttia:
It' s the first time I have heard that in Macedonia, obits are an unusual observe. You have wonderfully written the post. I have liked your way of writing this. Thanks for sharing this.
Lähetä kommentti