Reference: thetechherald.com
Update:
Jascha Franklin-Hodge, CTO at Blue State Digital, responded to our earlier questions with the following.
"As we treat all security issues with the utmost seriousness, we have been working closely with Organizing for America to investigate this alleged SQL injection problem. After careful review, we are confident that the screenshot included in this bug does not contain any data from the barackobama.com site or any other site hosted by Blue State Digital, the DNC, or Organizing for America."
"The screenshot, per the "KeyWord" box, appears to be related to a "Roosevelt University Calendar Events," not a site that is hosted by Blue State Digital, nor connected with barackobama.com. Microsoft Access is not used in any capacity on the barackobama.com site or servers."
This statement only adds a little more weight to our earlier assumption. Unu has apparently accessed a database on the same server that is unrelated to President Obama’s site. We’ve asked Blue State Digital to confirm if this is in fact the case.
If so, we asked why an SQLi from President Obama's site allowed access to the Access database.
The answer given was firm, "There is no SQL injection issue on our servers or those hosting/related to the barackobama.com site. We do not run Microsoft Access anywhere in our organization, nor do we (or DNC/OFA) run or host to any calendar at Roosevelt University."
It was suggeted that we talk to Unu, who made the allegation in the first place. We've done so and if we hear back, we'll update this story again.
Original Article:
Unu, the researcher responsible for several site vulnerability disclosures in the past, says there are SQL Injection (SQLi) flaws on barackobama.com. He said these flaws allowed him to access usernames and passwords used on the President's domain. At the same time, the DNC disagrees with him, saying that the information provided is based on incorrect assertions.
According to the blog post by Unu, an unsecured parameter in President Obama’s personal domain leads to the SQL Injection, allowing access to the database on the server. Interestingly enough, the database accessed in his example was a MS Access database. MS Access is a database format often rejected by developers on massive Web projects.
“We have a table admin. And in this table we can see that the admin passwords are in PLAIN TEXT! The website is big, with many sections, and there are 19 admins. What else we need to get full access on the website? Nothing. After we log in as admins, we can virtually do anything we want with the website: upload PHPShells, redirects, infect pages with Trojan droppers, [and even deface the whole website],” Unu wrote.
Continue...
0 comments:
Post a Comment