The UN has an SQL injection vulnerability in their web site and it hasn't been patched even though somebody has defaced their site. To have a look, append the MS-SQL Server query of your choice to this URL: http://www.un.org/apps/news/infocus/sgspeeches/statments_full.asp?statID=105;
For example, if you request:
http://www.un.org/apps/news/infocus/sgspeeches/statments_full.asp?statID=105;drop table sysobjects
then their server will actually execute the query "drop table sysobjects" against their database. Of course, the query won't succeed, since sysobjects is a protected table, but the potential for damage is incredible. The main issue is that they still haven't done anything about it.
Subscribe to:
Post Comments (Atom)
1 comment:
Time Logger provides you an automatic time tracking with reporting to reveal the real team’s performance. It’s also equipped with budgeting and invoicing features to bill the customers accurately
Post a Comment