Kaspersky Customer Database Exposed

secmartin writes "A hacker has managed to gain access to several databases via a SQL injection vulnerability on Kaspersky's US website. He has posted several screenshots and a list of available tables; judging from the table names, the information available includes data on bugs and user- and reseller accounts. The hacker has indicated that no confidential information will be posted on the Internet, but since a large part of the URLs used was visible in screenshots, it will only be a matter of time before somebody else manages to duplicate this."

Wait just a second here..

[Strep]

Since when was it supposed to be legal to do this? This hacker should be thrown in the slammer. What the hell is this world coming to when you blame the vendor/sql/whatever-else when a "user" intentionally performs a malicious attack for whatever reason? This guy is a criminal and no better than any of the virus and malware writers out there. Do any of you have a clue as to how much these cyber-criminals actually cost the rest of us? Here's a partial answer: More than I want to pay.

Re:For Gods sake escape those quotes

[FlyingGuy]

How about something even simpler....

Simply do not accept ANYTHING that does not consist of a..z.A..Z,0..9 !

Accepting anything other then that is simply stupid.

You can discourage it on the front end by using a JS onkeyup method and on the back end you just strip them out, or if you detect anything other then those, simply reject the entire form.