SQL injection attack in the UN

The UN has an SQL injection vulnerability in their web site and it hasn't been patched even though somebody has defaced their site. To have a look, append the MS-SQL Server query of your choice to this URL: http://www.un.org/apps/news/infocus/sgspeeches/statments_full.asp?statID=105;

For example, if you request:

http://www.un.org/apps/news/infocus/sgspeeches/statments_full.asp?statID=105;drop table sysobjects

then their server will actually execute the query "drop table sysobjects" against their database. Of course, the query won't succeed, since sysobjects is a protected table, but the potential for damage is incredible. The main issue is that they still haven't done anything about it.

No comments: