NASA: SQL injection by Greek researchers

Two managed to find a security hole in a NASA website (subdomain), which allowed them to perform SQL injection and gain access to the organization's database.

According to Greek researchers, the US space agency was promptly alerted to the security gap, but to date it has not made any correction.

Researchers Dimitris Chatzidimitris and Anastasis Vasileiadhs report at Secnews.gr via email:NASA

“On August 29, we discovered a vulnerability while navigating a Nasa page (https://www.jpl.nasα.gov/which relates to various promotion systems….

Vulnerability is a type SQL injection and the link to this weakness is:

Note Secnews.gr: We do not list the link for obvious reasons but we list some of the which we received by email:

Parameter: catId (GET)
Type: boolean-based blind
Database version: 5.1.61-it

"This particular vulnerability gave us access to the databases of that site"

Researchers report:

"After that we did not proceed to any possible access to the server beyond the bases as we had already confirmed that the page was not secure.

Immediately on August 27 we contacted the contact form on their page and we briefed them in detail to correct their security.

Until today 8 September we did not get any answer on this.

Security researchers:

Dimitris Chatzidimitris
Anastasis Vasileiadhs ”

Here is a screenshot of the database tables. We notice that the tables also include those that record website user data (user names and of access).

See the image below (wp-users, contacts, Member, authors)

_____________________________________

The information remains available to interested parties, both by the researchers themselves and by Secnews.gr.

The update for that are discovered in organizations, is considered highly necessary (especially when they exist on high-traffic websites), and for us at Secnews.gr they are an immediate priority.

We hope that in this way, that is, the immediate exposure of any vulnerability, and not its 'hood,' we are contributing to a safer Internet.

Of course, we have met many companies and organizations, both locally and globally, that instead of working together to resolve a vulnerability, they are moving legal means to persecute the researchers by covering the security gap very carefully with the mat, trying to avoid negative impressions .

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.

Written by Dimitris

Dimitris hates on Mondays .....

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).