SQL Injection flaw on barackobama.com

Posted on October 27, 2009. Filed under: News, Others, Security, Web | Tags: , , , , |

 

  Yesterday, Unu security researcher identified that he was able to carry out a successful SQL Injection attack against donate.barackobama.com, the official campaign donation site of current President Barack Obama, and gain access to credentials such as user names and passwords for persons who have donated to the Obama campaign, as well as administrative user credentials.

    Interestingly, the database accessed in his example was a MS Access database. MS Access is a database format often rejected by developers on massive Web projects.

 

  “We have a table admin. And in this table we can see that the admin passwords are in PLAIN TEXT! The website is big, with many sections, and there are 19 admins. What else we need to get full access on the website? Nothing. After we log in as admins, we can virtually do anything we want with the website: upload PHPShells, redirects, infect pages with Trojan droppers, [and even deface the whole website],” Unu wrote.

Read more here, here and here

Advertisements

Liked it here?
Why not try sites on the blogroll...

%d bloggers like this: