Two Greek researchers, Dimitris Hatzidimitris and Anastasis Vassiliadis managed to find a security loophole on the website of the Electronic National Social Security Agency EFKA- (IKA), which allowed them to perform the SQL injection technique and gain access to the organization's database.
According to the Greek investigators, the organization was notified in time for the security gap, but to date, it has not made any repairs.
Η vulnerability it is of SQL injection type and the specific weakness:
Parameter: asf_year (POST)
Type: error-based
Title: Microsoft SQL Server / Sybase OR error-based - WHERE or HAVING clause (IN)
"This vulnerability gave us access to the databases of the Electronic National Social Security Agency EFKA"
"After that we did not proceed further with a possible access to the server beyond the bases since we had already confirmed the weakness in better safety of the website.”
Here is a screenshot from the database.
Available databases [7]:
[*] EFKA
[*] IKA
[*] IKAFAQ
[*] master
[*] model
[*] msdb
[*] tempdb
We notice that the tables contain sensitive user data such as names and passwords.
| IKA_USERS |
| IKA_USERS_2012 |
| IKA_USERS_FORBIDDEN |
| IKA_USERS_LOG |
| IKA_USERS_LOG_ARCHIVE |
| IKA_USERS_LOG_STATUS |
| IKA_USERS_test |
with contents:
+ —————- +
| IKA_USER_NAMES |
+ —————- +
| !! dies *** |
| “CRESP ***** |
| # 32 + ** |
| # ssm ** |
| $ IKA2 **** |
| * 00336 **** |
The information remains at the disposal of those directly interested, by the researchers themselves but also by iGuRu.gr.
Η information for vulnerabilities that are discovered in organizations, is considered highly necessary (especially when they exist on high-traffic websites and contain sensitive user data), and for us at iGuRu.gr they are an immediate priority.
We hope that in this way, i.e. the direct exposure of each vulnerability and not with its "hood", we contribute to a more safe Internet.
