Security Hero Rotating Header Image

Database

IXXO Cart! Standalone and Joomla Component SQL Injection

Re: IXXO Cart! Standalone and Joomla Component SQL Injection

Posted by YEHG Group on Jul 26

Thanks, I’ll update the database of

http://www.owasp.org/index.php/Category:OWASP_Joomla_Vulnerability_Scanner_Project

On Sat, Jul 25, 2009 at 3:57 PM, SmOk3<smok3f00_at_gmail.com> wrote:

> Original advisory at:

> …

URL: http://seclists.org/fulldisclosure/2009/Jul/0394.html

Court

Ca: Police can keep, share records, even after charges dropped: Court

The Ontario Court of Appeal has ruled that police are entitled to keep information on databases about charges that have been withdrawn against individuals and also share these records with other agencies.

The decision, released Thursday, overturned a lower-court ruling that concluded that Peel Regional Police should not have disclosed information about M.T. (identity withheld) to Toronto police.

Source – The Gazette

Reddit It | Digg This | Add to del.icio.us

URL: http://www.pogowasright.org/article.php?story=20090528114723110

Police Vetted Jury Pool For Crown

Ca: Police Vetted Jury Pool For Crown

Police forces in Barrie, Ont., and the surrounding region have been conducting background checks of potential jurors without their knowledge for several years at the request of the Ministry of the Attorney-General, according to documents obtained by the National Post.

Confidential police databases were searched to see if people had a criminal record, were ever charged with an offence or had dealings with the mental health system. The searches were part of a Crown practice to weed out what they considered “disreputable persons” for the jury pool.

Source – National Post

Reddit It | Digg This | Add to del.icio.us

URL: http://www.pogowasright.org/article.php?story=20090525071527893

Convicts shouldn’t expect privacy rights

Wendy Murphy: Convicts shouldn’t expect privacy rights

The ACLU in Massachusetts has been scaring people with a fear-mongering claim that cops are violating Criminal Offender Record Information laws by searching through the state’s criminal records database to see whether certain celebrities have rap sheets. They’re using the story to gain support for a proposed amendment to CORI that will provide even more privacy protections for criminal records.

Gov. Patrick wants tighter CORI laws, too. Yet neither Patrick nor the ACLU can explain why a person convicted of a crime should expect to have any “privacy” rights. Maybe this is because there is no rational way to attach the word “privacy” to criminal conduct – which is why most states don’t have CORI laws.

Source – Wendy Murphy, on Enterprise News

Reddit It | Digg This | Add to del.icio.us

URL: http://www.pogowasright.org/article.php?story=20090524182852352

Why Security Isn’t A Solo Act

Why Security Isn’t A Solo Act

High technology’s biggest bet these days is on “cloud computing,” namely massive data centers running databases and application software across networks for businesses, consumers and some combination of the two. The idea is that the shared systems can scale up savings, transactions and innovation faster than ever.

Less talked about, however, is the prospect of scaled-up security risks. Already malicious hackers routinely make their way into individual servers and systems, scoring financial information or dropping company-crippling malware. Harnessing their own ad-hoc super networks of “enslaved” personal computers attached to the Internet, they spam, steal and spoof honest businesses, costing them billions annually, with no sign of letting up.

How can this be fixed? According to one of the computer security software industry’s most senior executives, the answer is to destroy security as a stand-alone business.

URL: http://www.hackinthebox.org/index.php?name=News&file=article&sid=31365

->

(GET var ‘id’) BLIND SQL INJECTION EXPLOIT –Dog Pedigree Online Database v1.0.1-Beta –>

<!– Envelope-to: email@address Delivery-date: Tue, 19 May 2009 18:55:26 +0100 Received: from outgoing.securityfocus.com ([205.206.231.26] helo=outgoing2.securityfocus.com) by lt.network5.net with esmtp (Exim 4.43) id 1M6TXC-00079n-Kh for email@address; Tue, 19 May 2009 18:55:26 +0100 Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20]) by outgoing2.securityfocus.com (Postfix) with QMQP id C201F143788; Tue, 19 May 2009 11:49:35 -0600 (MDT) Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm Precedence: bulk List-Id: <bugtraq.list-id.securityfocus.com> List-Post: <mailto:bugtraq@securityfocus.com> List-Help: <mailto:bugtraq-help@securityfocus.com> List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com> List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com> Delivered-To: mailing list bugtraq@securityfocus.com Delivered-To: moderator for bugtraq@securityfocus.com Received: (qmail 27364 invoked from network); 19 May 2009 16:48:01 -0000 Message-Id: <200905191648.n4JGm0As027012@www5.securityfocus.com> Content-Type: text/plain Content-Disposition: inline MIME-Version: 1.0 X-Mailer: MIME-tools 5.420 (Entity 5.420) Database v1.0.1-Beta –> Content-Transfer-Encoding: quoted-printable X-IMAPbase: 1176125385 9098 Status: O X-UID: 9098 Content-Length: 8067 X-Keywords:

Advanced blind SQL injection (with Oracle examples), (Tue, May 19th)

Advanced blind SQL injection (with Oracle examples), (Tue, May 19th)

Quite often developers ask me if they should put controls about every single parameter that they receive from users of their web application. My answer is, of course, yes. Couple of weeks ago I worked on a penetration test where we exploited a blind SQL injection vulnerability in a web application that used Oracle as the backend database.

The vulnerability was not easy to exploit due to extensive use of stored procedures, but with some clever SQL hacking I managed to retrieve everything from the database. Since I haven’t seen a lot of papers about this, I thought it’s a good idea to do a diary about this so here we go.

Environment

First, we will define our test environment so you can see how to exploit it. In our test environment, the developer receives one parameter. We’ll call it event and it can have two possible values, true or false. When called, it is used like this:

http://10.10.10.10/application.php?event=true

or

http://10.10.10.10/application.php?event=false

Now let’s see how this can be exploited through some advanced SQL injection.

The simplest test is to enter a ‘ character in the parameter (event=true’). As we are dealing with SQL injection this will cause the SQL statement to be incorrect in which case the application will just print a message that a database error occurred (no SQL visible).

However, depending on the parameter (true or false or something else), the application will have different output and that allows us to see what’s going on behind. In other words, if the parameter is true the output will be different from the case when the parameter is abcd (or false). And this is the basis of blind SQL injection we want to make a difference between various SQL statements which will allow us to deduce the content of the database.

In typical blind SQL injection examples a timed delay is added to the attacker observes how long it takes for the query to execute. In this case it was not possible because I was dealing with stored procedures and some web application firewalls which prevented me from using UNION statements. But that doesn’t mean it’s game over.

Exploitation

As I don’t know how exactly the stored procedure is called or what’s the backend database, the easiest way to determine that is to split the input parameter:

event = tr’ || ‘ue

This will cause the final input parameter to be ‘tr’ || ‘ue’ the || operator in Oracle means concatenate so the parameter will actually be true.

This shows that the database is evaluating the SQL statement which allows us to enter some if/then cases that will, in the end, allow us to read data from the database. So let’s see how this is done in a bit more complex query:

event = tr’ || (select case when substr(banner, 1, 1) = ‘A’ then ‘u’ else ‘X’ end from (select banner from v$version where banner like ‘%Oracle%’)) || ‘e

While this maybe looks complex, it really isn’t. The query takes the database banner from v$version (where it has string Oracle in it). Then, from that line the first character is examined (specified by the substr() call) and compared to the letter ‘A’.

If it is ‘A’, the query returns ‘u’, otherwise it returns ‘X’.

Finally, this is concatenated so we have the following if/then case:

– If first character of the banner line containing string Oracle is ‘A’ return ‘u’ so the final string will be ‘true’.

– Otherwise, return ‘X’ so the final string will be ‘trXe’.

Now, by examining the output of the application, I was able to deduce if the query was successful or not. Couple of minutes later, a perl script that traverses through all characters was done and I was able to retrieve data from the database.

Lessons learned

How serious is this? Well, it’s pretty serious depending on what is in the database. While I wasn’t able to modify the data, I was able to retrieve everything from the database. Remember Oracle? It has a handy table called all_sources which contains sources of stored procedures and functions. This allowed me even to retrieve source code!

This example shows why every parameter your application deals with must be verified. In this simple case, all the developer had to do is check if the parameter is true or false by creating a simple white list. Also, the developers should be aware that they can’t rely on stored procedures (only), hoping that they will do the job for them as it all depends on the environment.

MySQL founder creates Open Database Alliance

MySQL founder creates Open Database Alliance

Monty Widenius, the main author of MySQL, has announced he is setting up the Open Database Alliance (ODA) to consolidate work on the open database.

The ODA will consist of a set of companies offering software, support and services for MariaDB, an enterprise-grade, community-developed branch of MySQL. MySQL serices company Percona is the first to join.

“Our goal with the Open Database Alliance is to provide a central clearinghouse for MySQL development, to encourage a true open development environment with community participation, and to ensure that MySQL code remains extremely high quality,” said Widenius.

URL: http://www.hackinthebox.org/index.php?name=News&file=article&sid=31328

Maldives Elections Commission website hacked

Maldives Elections Commission website hacked

The website of the Maldives Elections Commission was hacked last night and the hackers defaced the homepage of the website. It isnt sure when the attack had occurred but even by 9:15pm last night the hackers message on the homepage had not been removed.

Later, after the website finally went offline, an official from the Commission said that they were trying to fix the website and assisting the Police in their investigation of the attack.

The official further said that the hackers had not changed any details on their database and had only changed the contents of the homepage.

URL: http://www.hackinthebox.org/index.php?name=News&file=article&sid=31250

UC Berkeley suffers breach

UC Berkeley suffers breach

Hackers breached a server in the health services center at the University of California, Berkeley, and accessed the personal data of more than 160,000 people, the college announced Friday. The stored database records included Social Security numbers and health insurance and other medical information. The intruders, believed to be based overseas, burrowed their way in through a public website. The breach, which began in October and continued through April, affected former Berkeley students and possibly their spouses or parents if they were linked to insurance coverage. X DK


URL: http://feedproxy.google.com/~r/SCMagazineHome/~3/Pm158p6WZpo/

Mass. police snooped on celebrities’ records

Mass. police snooped on celebrities’ records

Massachusetts law enforcement personnel tapped into the state criminal records database and inappropriately viewed the personal records of celebrities on dozens of occasions, according to a state audit released Tuesday.


URL: http://feedproxy.google.com/~r/SCMagazineHome/~3/nbjdWYnLkDM/

0663 (dbd::pg)

CVE-2009-0663 (dbd::pg)

Heap-based buffer overflow in the DBD::Pg (aka DBD-Pg or libdbd-pg-perl) module 1.49 for Perl might allow context-dependent attackers to execute arbitrary code via unspecified input to an application that uses the getline and pg_getline functions to read database rows.

URL: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0663

Government looks to ISPs as it cuts comms database plan

Government looks to ISPs as it cuts comms database plan

The government is set to require all telcos to record data between communications V mobile phones, text message, emails and instant messages, as well as internet browsing sessions to social networking sites such as Facebook.

The details of the Intercept Modernisation Programme were laid out in a consultation document released today. The government will be accepting advice on the plans until July 2009.

Any firm considered a communications service provider (CSP) V such as internet service providers (ISPS) and mobile operators V would be required to hold onto such data in case the government needed it, for anti-terror or policing reasons, for example. Such CSPs will also be required to collect data from services that are based overseas but use UK networks.

URL: http://www.hackinthebox.org/index.php?name=News&file=article&sid=31037

U-turn on ‘Big Brother’ internet checks

UK: U-turn on ‘Big Brother’ internet checks

Ministers backed down today over plans for a centralised database of email, telephone and internet data.

Home Secretary Jacqui Smith said there were “absolutely no plans for a single central store” of communications data.

Source – Metro

Related – Politics.co.uk
Related – The Scotsman

Reddit It | Digg This | Add to del.icio.us

URL: http://www.pogowasright.org/article.php?story=20090427043932672

1436 (freebsd)

CVE-2009-1436 (freebsd)

The db interface in libc in FreeBSD 6.3, 6.4, 7.0, 7.1, and 7.2-PRERELEASE does not properly initialize memory for Berkeley DB 1.85 database structures, which allows local users to obtain sensitive information by reading a database file.

URL: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1436