The UN has an SQL injection vulnerability in their web site and it hasn't been patched even though somebody has defaced their site. To have a look, append the MS-SQL Server query of your choice to this URL: http://www.un.org/apps/news/infocus/sgspeeches/statments_full.asp?statID=105;
For example, if you request:
http://www.un.org/apps/news/infocus/sgspeeches/statments_full.asp?statID=105;drop table sysobjects
then their server will actually execute the query "drop table sysobjects" against their database. Of course, the query won't succeed, since sysobjects is a protected table, but the potential for damage is incredible. The main issue is that they still haven't done anything about it.
2007-08-12
Subscribe to:
Post Comments (Atom)
 
 

2 comments:
Time Logger provides you an automatic time tracking with reporting to reveal the real team’s performance. It’s also equipped with budgeting and invoicing features to bill the customers accurately
Nice blog thhanks for posting
Post a Comment