Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label SQL Injection Vulnerability. Show all posts

WooCommerce Patched a Bug that Threatened Databases of Prominent Sites

 

According to researchers, a significant SQL-injection security vulnerability in the WooCommerce e-commerce platform and a related plugin has been exploited as a zero-day flaw. WooCommerce released an emergency remedy for the bug late on Wednesday as a result of the exploitation. Unauthenticated cyber attackers might use the flaw to steal a slew of data from an online store's database, including customer information, payment card information, and employee credentials. 

WooCommerce, a prominent open-source e-commerce platform for WordPress websites, is used by over 5 million websites worldwide. It enables online merchants to establish storefronts with a variety of customisable features, such as accepted payment kinds, shipping options, and sales tax calculations, among others. The WooCommerce Blocks feature, which is installed on over 200,000 sites, is the linked plugin affected by the flaw. It aids retailers in displaying their goods on websites. 

“Our investigation into this vulnerability and whether data has been compromised is ongoing,” Beau Lebens, head of engineering for WooCommerce, said in an advisory. “We will be sharing more information with site owners on how to investigate this security vulnerability on their site. If a store was affected, the exposed information will be specific to what that site is storing but could include order, customer, and administrative information.” According to Wordfence experts, there is “extremely limited evidence of [exploitation] attempts and it is likely that such attempts were highly targeted.”

However, one user commented in the WooCommerce advisory's comments section that strange activity had been seen. “Just hours before your announcement and email, the site I manage saw a massive spike in network traffic before effectively locking out administrative logins and presenting various bizarre messages,” the user said. “When I SSH’d into the live environment, the console reported that there were 4 failed login attempts since my last login. So far as I could tell there was no apparent vandalism and the failed logins had their IP banned. It seems a little too coincidental.” 

The issue affects WooCommerce plugin versions 3.3 to 5.5, as well as WooCommerce Blocks 2.5 to 5.5. According to Lebens, the company developed a patch remedy “for every impacted version (90+ releases) that was automatically sent to vulnerable stores.” However, because the automatic deployment isn't instantaneous, and users in the advisory's comments section were claiming that they hadn't received the upgrades as of Thursday afternoon, WooCommerce advised that "we're urging everyone to check and manually update if needed just in case."

SAP Issued Warning and Updates Regarding the Serious Flaws with the Code Injection

 

A German multinational software corporation SAP ( Systems Applications and Products in Data Processing ) is known for developing software solutions that work on managing business operations as well as customer relations. SAP is the name of their software as well as of the company that works on this technology. SAP provides “future-proof Cloud ERP (Enterprise Resource Planning) solutions that will power the next generation of business.” With its advanced capabilities, SAP can boost your organization's efficiency and productivity by automating repetitive tasks, making better use of your time, money, and resources. 

SAP has published some 14 new updates or the Security Note on the 2020 December Patch Day. Whereas in January 2021 they published another set of 7 new Security Notes, later providing their new updates as well. Five of the seven have the highest severity rate of the Hot News. Later in the month, they made a proclamation where they published 10 advisories to a document of flaws ad fixes for a range of serious security vulnerabilities. In the congregation of asserted vulnerabilities, the most important issue bears a CVSS score of 9.9 in the SAP Business Warehouse. 

 The very first note addressed CVE-2021-21465 which according to SAP is multiple issues in the Database Interface. These bugs are an SQL Injection with a missing authorization check which should have featured a CVSS score of 6.5. A SQL Injection is basically a code injection technique that might at times destroy the database interface. One of the most common hacking technique used by hackers is SQL Injection. In the SQL Injection, another thing that was missing was Onapsis, a firm that secures Oracle and SAP applications. These missing authorization checks would easily exploit to read any table of a database. 

 Mentioning that minimum privileges are required for successful exploitation, Onapsis in a blog quoted, “An improper sanitization of provided SQL commands allowed an attacker to execute arbitrary SQL commands on the database which could lead to a full compromise of the affected system,” SAP decided to fix such bugs b disabling the function module and applying the patches that will result in abandoning of all the applications that call this function module. 

 Another serious issue, other than the aforementioned issue, is a code injection flaw in both Business Warehouse and BW/4H4NA , that addresses as CVE-2021-21466. This issue is a result of insufficient input validation. Such flaws are misused to inject malicious code that gets stored persistently as a repot. These issues potentially affect the confidentiality, integrity, and availability of systems. The remaining three from the total five updates are fixes for the programs released in 2018 and 2020. 

 Further SAP added as a warning, “An issue in the binding process of the Central Order service to a Cloud Foundry application” that could have allowed “unauthorized SAP employees to access the binding credentials of the service”.

Hacker breaks into Telangana’s TSPost website, exposes flaw

Indian government sites are often criticized for their lack of cyber security and safety of people’s information. Pointing out a flaw in Telangana government’s NREGA portal, French hacker and independent security researcher Robert Baptiste hacked into the state government’s website.

He reportedly contacted the site owners regarding the issue and after receiving no response for some time, published his results on social media.


The website (http://tspost.aponline.gov.in) was vulnerable to one of the most basic web hacking technique, an SQL injection. It has now gone offline in the wake of this news.

“A basic SQL injection allows an attacker to access the database of the website,” Robert said. “To be clear, all the data on this website can be a dump. Telangana government officials say they are working to fix it. For this website, they have to hire decent web developers to protect it from attacks.”

TSPost, Telangana’s government benefit disbursement portal, contained the account details and Aadhaar numbers of over 56 lakh NREGA beneficiaries and 40 lakh beneficiaries of social security pensions.

Using the SQL injection, Robert was able to access not just the Aadhaar and account details from the website but also the API keys of UIDAI’s Aadhaar database, the access of which can enable anyone capable enough to make a fake Aadhaar app that could be uploaded to Google Playstore for malicious use.

This is one of the many cases pointing out how vulnerable the Aadhaar system is to hacking and security breaches.

Emerson fixes SQL injection bug in AMS Device Manager


Emerson Process Management has released a patch for SQL Injection vulnerability in its AMS Device Manager application.

Emerson AMS Device Manager is a software used worldwide primarily in the oil and gas and chemical industries.

The Advisory (ICSA-15-111-01) released on the ICS-CERT website quoted that the vulnerability is not exploitable remotely and cannot be exploited without user interaction. It also stated that an attacker’s access to the vulnerability is of medium difficulty level.

"Successful attack results in administrative access to the application and its data files but not to the underlying computer system." The advisory reads.

The vulnerability affects AMS Device Manager, V12.5 and earlier.


Emerson advises the users of this application to take some steps to avoid exploitation to this vulnerability.

For AMS Device Manager application v12.5; it suggests the users to apply a patch, upgrade to v13, or apply the workaround below. For the earlier versions, the software can be configured by adding another user with full administrative privileges and making the default administrative user have read-only privileges.

ICS-CERT also recommends the users to limit user privileges on ICS running software machines, reduce network exposure for all control system device, locate control system networks and remote devices behind firewalls, and isolate them from the business network.

Joomla 3.2.2 is vulnerable to SQL Injection and XSS


If your website is running Joomla 3.2.2, you should upgrade your CMS to the latest version.

A new version of Joomla v3.2.3 has been released to address more than 40 bugs and four security vulnerabilities.

One of the patched security flaws is SQL Injection, caused by Inadequate escaping, rated as High severity bug.  It affects versions 3.1.0 through 3.2.2.

Other two security bugs are Cross site scripting vulnerabilities, which have been rated as Medium severity bugs. 

The last one allows unauthorized logins via GMail authentication, caused by inadequate checking. It affects versions 2.5.8 and earlier 2.5.x and 3.2.2 and earlier 3.x.

It doesn't matter whether you do care about the 40 bugs but you always should consider the security fixes.  So, better update your cms immediately before attackers informing you by hacking your site.

'Advanced Power' botnet attempts to hack website using victim's machine

S ecurity researcher Brian Krebs has discovered a new Botnet that tests websites for vulnerabilities using the infected machines. 

The malware disguise itself as a legitimate Firefox add on called "Microsoft .NET Framework Assistant" is apparently using the infected machines to find SQL Injection vulnerability in any website visited by the victim.

Once the malware determine the list of vulnerable website, the cyber criminals behind the botnet will be able to exploit the vulnerability to inject malicious codes in the websites.  So, it will probably help the attacker to increase the number of infected websites and systems.

Advanced Power test SQL Injection vulnerability

The malware also capable of stealing sensitive information.  However, the feature is not appeared to be activated on infected systems.

Alex Holden, chief information security officer at Hold Security LLC, analyzed the malware and believes the malware authors are from Czech Republic, based on the text string available in the threat.

Researcher says more than 12,500 systems have been infected by this malware and helped to discover at least 1,800 web pages vulnerable to SQL Injection.

Update:
In an email, a Mozilla spokesperson told EHN that "they have disabled the fraudulent 'Microsoft .NET Framework Assistant' add-on used by 'Advanced Power' as part of its attack. You should always be careful with anything you download. It's a good idea to use many layers of protection, including antivirus software to stop malware."

Vevo website hacked by TeslaTeam via SQL Injection vulnerability

Tesla Team, one of the hacker group from Serbia has claimed to have breached the Vevo website(Vevo.com).

Vevo is a joint venture music video website owned and operated by Universal Music Group, Google, Sony Music Entertainment, and Abu Dhabi Media.

The team has discovered a SQL Injection vulnerability in one of the sub-domains of Vevo website that allowed hackers to compromise their database.

In a pastebin leak(pastebin.com/TAjce91x), the group leaked a vulnerable link as well as a proof of concept that exploits the vulnerability.  The dump of the database is claimed to have containing emails and password of admins and other users.

It appears some one with username "JoinSeventh" in HackForums has already published the vulnerability details in 2012.

OpenEMR affected by Multiple Vulnerabilities

The most popular open source electronic medical records (OpenEMR) is said to have multiple vulnerabilities by the Trustwave SpiderLabs.

It reported that with a guest access, mixed with some application issues the user was able to compromise with the server running OpenEMR and it even served as a dock for attacking the internal networks.

The Researcher found a SQL Injection vulnerability in "Reports > Visits > SuperBill > Dates" location. 

"By browsing to this page and dumping in junk in either the start or end date parameters", he saw the SQL error message saying "ERROR: query failed: select * from forms where form_name = 'New Patient Encounter' and date between 'a'' and '2013-07-12' order by date DESC"

It also claimed to dump most of the database contents and important datas of patients as well as numerous usernames and passwords." I let my GPU box chew on the password hashes for a bit, and kept poking at the application." (the blog says)

OpenEMR is also reported to have HTML injection/XSS on an 'Office Notes' page. The user was even able to beguile the user visiting the page to attempt authentication with his system, which was hosting a fake SMB server with static challenges:

Image Credits: SpiderLabs

"This allowed me to capture a handful of domain usernames and password hashes. In addition, I had some luck cracking the OpenEMR password hashes from earlier, and some of the passwords were re-used locally on the Linux system hosting OpenEMR, allowing me access via SSH."(SpiderLabs reports)

The OpenEMR has been informed of it and they have patched the vulnerabilities in the latest 4.1.1 patch.

Author: Shalini Bhushan


Reckz0r identified POST SQL Injection vulnerability in Twitter

The hacker Reckz0r who recently breached the CNN website has identified a Post based SQL injection vulnerability in Twitter support page.

'Referrer' parameter in the api_general form located at the support.twitter.com is vulnerable to SQLi. 

Although the vulnerability allow hacker to extract confidential data from Twitter, hacker didn't do involve in any malicious activities because he don't want his account to get suspended.

The screenshot provided by the hacker:



" vulnerability lies in http://support.twitter.com/forms/submitted?regarding=api_general - You see, there might be dozens of vulnerabilities lying in support.twitter.com. We can inject hidden boxes in this kind of atmosphere. " hacker said.

Brazil Navy and Pakistan Army websites hacked by SQL Injection


These security breaches are going to be next examples for the Government careless about the cyber security.  The hacker @WilyXem found two more Army websites are vulnerable to SQL Injection.

Brazilian Navy and Pakistan Army websites are found to be affected by the SQL Injection vulnerability.  The hacker tweeted few links that contains the proof-of-concepts(http://sprunge.us/ZUHM, sprunge.us/ZdKY, sprunge.us/CJGO)

The vulnerability exists in the Board of Historic & Documentation Navy(biblioteca.dphdm.mar.mil.br), Department of Distance Education(ead.densm.mar.mil.br) and Pakistan Army(www.pakistanarmy.gov.pk).

The POCs exposes the target database details including database name, database version and table details.

The same hacker yesterday hacked into the Royal Thai Navy website and leaked the login information from the database.


Yahoo! Blind SQL Injection could lead to data leakage


It seems that 2013 is the "Data Leakage Year"!many customers information and confidential data has been published on the internet coming from government institutions, famous vendors, and companies too.

Ebrahim Hegazy(@Zigoo0) an Egyptian information security advisor who found a high severity vulnerability in "Avira license daemon" days ago, is on the news again, but this time for finding and reporting Blind SQL Injection vulnerability in one of Yahoo! E-marketing applications.SQL Injection vulnerabilities is ranked as Critical vulnerabilities, because if used by Hackers it will cause a database breach which will lead to confidential information leakage.

A time based blind SQL Injection web vulnerability is detected in the official Yahoo! TW YSM Marketing Application Service.The vulnerability allows remote attackers to inject own sql commands to breach the database of that vulnerable application and get access to the users data.

The SQL Injection vulnerability is located in the index.php file of the soeasy module when processing to request manipulatedscId parameters. By manipulation of the scId parameter the attackers can inject own sql commands to compromise the webserverapplication dbms.

The vulnerability can be exploited by remote attackers without privileged application user account and without requireduser interaction. Successful exploitation of the sql injection vulnerability results in application and applicationservice dbms compromise.

But Ebrahim is a white hat hacker, so he reported the vulnerability to the Yahoo! security team with recommendations on how to patch the vulnerability.

According to Ebrahim, the time line of the vulnerability was:
================
2013-02-24:    Researcher Notification & Coordination
2013-02-25:    Vendor Notification
2013-03-01:    Vendor Response/Feedback
2013-04-01:    Vendor Fix/Patch by check
================

More details about the vulnerability could be found here:
http://www.resecure.me/public/Yahoo-TW-YSM-BSQLI.txt

As most of readers know that Yahoo! don't have a bug bounty program or Hall of fame too, so as a reward from Yahoo! to the researchers who find a vulnerabilities in Yahoo! applications, they do award researchers by sending them a T-shirts with Yahoo! logo and some other tokens.the researcher told us that he received a package sent to him by Yahoo! which contains 2 T-shirts and a big cup as a reward.

US Telecom companies and Banks breached by Tunisian Cyber Army

As part of their ongoing operation against United States known as "#opBlackSummer", the Tunisian Cyber Army(TCA) and Al-Qaeda Electronic Army(AQEA) has breached the websites belong to US Telecommunication companies.

The hacker group has identified three SQL Injection vulnerabilities in AT&T sub-domains and one SQLi in Verizon website. The hackers provided the vulnerable links to EHN.

The hackers also attacked the the official website for the U.S. Small Business Administration(sba.gov), Merrimack County Savings Bank(mcsbnh.com), State Bank of Park Rapids(statebankofparkrapids.com).

The team exploited the vulnerabilities and compromised information such as User IDs, security question answers, passwords, addresses and email addresses.

XSS in FBI website

Speaking to EHN, the TCA said they exploited the xss vulnerability in FBI website by requesting the admin to open the crafted fbi site link.  The hacker claimed that they got temporary access to their computer and downloaded some files about crimes and report.

At EHN, we can't assure that hackers claims about the data compromise are true but the vulnerability links provided by the hackers are valid one. 

Pakistan goverment site again hacked via SQL Injection vulnerability


Indian hacker Godzilla has once again hacked a very important Pakistani site  www.pakistan.gov.pk .

He took down lots of Pakistani sites just a few days ago. http://www.ehackingnews.com/2013/03/indian-hacker-godzilla-leaked-pakistan.html

Then he told the reason behind the attacks that "Pakistan is a country which is currently supporting terrorist activities through ISI, and if they regret Pakistan army and Ministry of Defense mail server backups are enough to proof how closely the are related to terrorism. Pakistan stop these activities before its too late."

The attack seems to be done via SQL injection.





He finally noted that "No matter how hard you try we will get inside in no time." 

Speaking to EHN the hacker said "Admins and Governments takes website security lightly thinking that they are hosted outside  gets treated through your inside network. Thats enough to get inside your network"

Arabian Gulf Oil Company(Agoco) website hacked by QuisterTow


A hacker with online handle QuisterTow has claimed to have identified a critical SQL Injection vulnerability in Agoco website(agoco.com.ly) - Arabian Gulf Oil Company based in Benghazi, Libya, engaged in crude oil and natural gas exploration, production and refining.

The hacker exploit this vulnerability and managed to dump the database from the server.  He has leaked the login credentials from the database along with the database details.

The leak(pastebin.com/8HLiDqVt ) contains usernames and passwords of admin and few users.  The password used by admin is very weak one and leaked in plain-text format.

The hacker also provided the vulnerable link along with the proof-of-concept to exploit this SQL injection vulnerability that lists the username &password information.

Bollywood Actress Divya Dutta website vulnerable to critical vulnerabilities


Ravi Kariya, a Security Analyst from Cyber Octet Pvt. Ltd (facebook.com/cyberoctet) has discovered critical vulnerabilities in the official website (divyadutta.co.in) of famous Indian Actress Divya Dutta.

There are two SQL Injection vulnerability in the website.  One of the vulnerabilities resides in the  Press Clips page of the site(divyadutta.co.in/pressclipdetail.asp?id=7).  A malicious hacker can exploit this vulnerability and extract the database .

The other one is more critical one , it allows hackers to bypass authentication of the Login .  A malicious hacker can login into the website as admin(divyadutta.co.in/admin/) . This can be done by injecting the crafted password that will modify the sql query such that it allows hacker to login.

There is also Cross site scripting vulnerability in the contact us page(divyadutta.co.in/contact.asp ) .  Injecting the follow code in the fields and clicking the submit button executes the injected code:

"><script>alert('My Love For Divya Dutta')</script>




Ravi tried to contact the Divya dutta via email and Twitter but she fails to respond for his query.  It seems like that She doesn't realize the severity level of this security flaw. A BlackHat hacker is able to deface the site with these vulnerabilities.

I think she will respond after some blackhats attack the site, what do you think guys?

*Update*
After E hacking news published news about the vulnerability, the admin pulled down the divya dutta site. Now the site displays the following error message:

"Directory Listing Denied.This Virtual Directory does not allow contents to be listed."


Sri Lankan NIC site(nic.lk) hacked via SQL injection vulnerability

Recently, we reported that the hackers defaced Top level Domains of Turkmenistan including Google, Gmail, youtube, by exploiting the vulnerability in NIC.tm. Today they have discovered vulnerability in another NIC website.

The hackers found a critical SQL injection vulnerability in Sri Lankan NIC website(nic.lk) that allows hackers to hijack top level Sri Lankan domains .



NIC websites are considered to be most important part of every country on the internet . A network information center (NIC), is the part of the Domain Name System (DNS) of the Internet that keeps the database of domain names, and generates the zone files which convert domain names to IP addresses.

Each NIC is an organization that manages the registration of Domain names within the top-level domains for which it is responsible, controls the policies of domain name allocation, and technically operates its top-level domain.

"any unauthorized access can make a disaster to compromised country ." The hackers said " for example changing all governments website’s DNS to hacker DNS and grab all high-level man of country credentials."

Hackers compromised data from the database and dumped data. They claimed that they reported to nic but there is no response from security team.

Critical Sql Injection vulnerability in Punjab and Sind Bank website

 
An Information Security Expert Narendra Bhati has discovered a critical SQL Injection vulnerability in the Punjab and Sind Bank website(psbindia.com).

Punjab & Sind Bank (P&SB) is a major Public Sector bank in Northern India. Of its more than 1100 branches and offices spread throughout India, almost 450 are in Punjab state, though the bank's corporate headquarters is in New Delhi.

The researcher provided the vulnerable link in an email sent to EHN. As i considered the vulnerability is highly critical one, i am not going to provide the vulnerable link here.


The researcher provided the poc code that allows attackers to extract the username, hashed password, address details stored in the Bank Database.

The researcher also found that the same link is vulnerable to Cross site scripting (XSS) injection. It allows hackers to inject iframe and execute in the site.

Bangladesh Railway , NIMC & Jiban Bima Corporation sites vulnerable to SQL Injection

The Tunisian Hacker, Human Mind Cracker, has claimed to have discovered SQL Injection vulnerability in Top Bangladesh Government websites.

In an email sent to E Hacking News, hacker mentioned that he found SQLi in three Government sites.

Affected Government sites are the official site of Bangladesh Railway(railway.gov.bd) , National Institute of Mass Communication of Bangladesh(NIMC.gov.bd) and Jiban Bima Corporation(JBC.gov.bd).


Hacker managed to breach the database server belong to National Institute of Mass Communication and leaked the stolen data in Hey paste it (heypasteit.com/clip/0NUH)

The database dump contains database table name, name of users, hashed passwords. It contains more than 650+ entries of user data.

The hacker claims that the Bangladesh Gov websites are not secure at all .  As far as i know, not only Bangladesh but also other countries government sites are vulnerable. More than 90% Government websites are vulnerable.

Algerian Bank CPA hacked by Tunisian Hacker


One of the Algerian Banks , Crédit populaire d'Algérie (CPA) Bank is found to be vulnerable to SQL Injection vulnerability.  This critical vulnerability was discovered by a Grey-hat Tunisian Hacker "Human Mind Cracker" who usually targets Bank and Government sites.

In an email sent to EHN, the hacker provided the vulnerable link of the site(cpa-bank.dz).

" I reported to them the vulnerability before I hack into the database,2 days without reply or anything...After that I find that the email that they put it in the website for contact is INVALID mail.So I get into the database." The hacker said.

In a paste(heypasteit.com/clip/0NLX) , hacker dumped the compromised data to prove the severity level of vulnerability.  It contains Username , passwords ,Email addresses, Phone number, Fax and Location.

Bangladesh Post Office site hacked by Human Mind Cracker

A SQL Injection vulnerability has been discovered in official website of Bangladesh Post Office (bangladeshpost.gov.bd). The vulnerability was discovered by the Grey-hat hacker "Human Mind Cracker".

In an email sent to EHN, the hacker provided the vulnerable link and claimed that the site is vulnerable to lot of vulnerabilities.

The hacker breached the site by exploiting the SQL injection vulnerability and compromised the database.

Screenshot of Admin Panel

"I get into their database,and the most funniest thing is that  The passwords is not encrypted with any hash, and this so bad for a website related to a government." the hacker said in the email.

The database dump(heypasteit.com/clip/0N9U) contains database details, username, plain-text format password.  It also includes the admin username and password.