Security gap on the EFKA website

Two Dimitris Chatzidimitris and Anastasis Vassiliadis they managed to find a security hole in the of the Electronic National Social Security Agency EFKA-(IKA), which allowed them to perform the SQL injection technique and gain access to the organization's database.

According to the Greek investigators, the organization was notified in time for the security gap, but to date, it has not made any repairs.

The vulnerability is SQL injection type and the specific weakness:

Parameter: asf_year (POST)
Type: error-based
Title: Microsoft SQL Server / Sybase OR error-based - WHERE or HAVING clause (IN)

"This vulnerability gave us access to the databases of the Electronic National Social Security Agency EFKA"

"After that we did not proceed below to a possible access to the server beyond the bases since we had already confirmed the weakness in the security of the website."

Here is a screenshot from the database.

Available databases [7]:
[*] EFKA
[*] IKA
[*] IKAFAQ
[*] master
[*] model
[*] msdb
[*] tempdb

We notice that the tables contain sensitive user data such as names and passwords.

| IKA_USERS |
| IKA_USERS_2012 |
| IKA_USERS_FORBIDDEN |
| IKA_USERS_LOG |
| IKA_USERS_LOG_ARCHIVE |
| IKA_USERS_LOG_STATUS |
| IKA_USERS_test |

with contents:

+ —————- +
| IKA_USER_NAMES |
+ —————- +
| !! dies *** |
| “CRESP ***** |
| # 32 + ** |
| # ssm ** |
| $ IKA2 **** |
| * 00336 **** |

The remain at the disposal of those directly interested, from the researchers themselves but also from iGuRu.gr.

The update for that are discovered in organizations, is considered highly necessary (especially when they exist on high-traffic websites and contain sensitive user data), and for us at iGuRu.gr they are an immediate .

We hope that in this way, that is, the immediate exposure of any vulnerability, and not its 'hood,' we are contributing to a safer Internet.

iGuRu.gr The Best Technology Site in Greecefgns

every publication, directly to your inbox

Join the 2.100 registrants.

Written by newsbot

Although the press releases will be from very select to rarely, I said to go ... because sometimes the authors are hiding.

Leave a reply

Your email address is not published. Required fields are mentioned with *

Your message will not be published if:
1. Contains insulting, defamatory, racist, offensive or inappropriate comments.
2. Causes harm to minors.
3. It interferes with the privacy and individual and social rights of other users.
4. Advertises products or services or websites.
5. Contains personal information (address, phone, etc.).