Slashdot Mirror

← Back to Stories (view on slashdot.org)

United Nations vs SQL Injections

Posted by CmdrTaco on from the virtual-security-is-hard-too dept.

Giorgio Maone writes "The United Nations web site has been defaced by 3 crackers who replaced the speeches of the Secretary-General Ban Ki-Moon with their own pacifist message. This article briefly analyzes the exploited vulnerability and the technology used on the server, both quite surprising to find in such a high profile site."

4 of 144 comments (clear)

  1. The hole is still open, though... by caferace · · Score: 3, Interesting

    http://www.un.org/apps/news/infocus/sgspeeches/sta tments_full.asp?statID=105' -jim

  2. Re:And Jews violated more laws under the Nazis, to by c6gunner · · Score: 2, Interesting

    Any organization which elects Libya to chair it's "Human Rights Council" automatically loses any right to be taken seriously.

    Seriously, is it possible any more to even pretend that the UN is anything but a forum for tinpot dictators and other nameless losers to bitch, complain, and blame the west for all of Earth's problems?

    Come to think of it ..... it kinda reminds me of Slashdot, actually ;)

  3. Hardly a surprise by Opportunist · · Score: 5, Interesting

    You'll notice that webpages of governments, political parties and other highly bureaucratic systems are usually quite vulnerable. This is due to a few factors.

    First of all, whatever they do, use or change needs about a truckload of paperwork and red tape to get done. They're not only vulnerable to 0day exploits, they're usually vulnerable to exploits that have been around for a year or two, simply because they cannot respond quickly to security threats and vulnerabilities.

    Then there's that compatibility issue. Especially when dealing with multiple partners, you have to find some kind of way that makes it easy for every partner to incorporate their content into your system. You must not prefer any, you must not use a system that would block certain partners and participants out due to incompatibility. Now, compatibility usually boils down to the lowest common denominator. And that's usually not the most secure one.

    And finally the good ol' fact that the people who work there are usually not the creme of the crop, the best of the best and the spearhead of excellence, or they'd be in free enterprise making more money.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  4. The easiest non-intrusive way by michaelhood · · Score: 2, Interesting

    to check for SQL injection like this on a website is to do something like this:

    http://www.un.org/apps/news/infocus/sgspeeches/sta tments_full.asp?statID=105%20OR%201=1

    If they're not using parameter binding and/or properly sanitizing user input, this should return a different record (article in this case) than the original URL. - http://www.un.org/apps/news/infocus/sgspeeches/sta tments_full.asp?statID=105