2007-08-12

SQL injection attack in the UN

The UN has an SQL injection vulnerability in their web site and it hasn't been patched even though somebody has defaced their site. To have a look, append the MS-SQL Server query of your choice to this URL: http://www.un.org/apps/news/infocus/sgspeeches/statments_full.asp?statID=105;

For example, if you request:

http://www.un.org/apps/news/infocus/sgspeeches/statments_full.asp?statID=105;drop table sysobjects

then their server will actually execute the query "drop table sysobjects" against their database. Of course, the query won't succeed, since sysobjects is a protected table, but the potential for damage is incredible. The main issue is that they still haven't done anything about it.

2 comments:

time tracking tool said...

Time Logger provides you an automatic time tracking with reporting to reveal the real team’s performance. It’s also equipped with budgeting and invoicing features to bill the customers accurately

Shutters Wisconsin said...

Nice blog thhanks for posting