12 08 2007
United Nations VS SQL InjectionsPosted by: Giorgio in Politics, SQL, Security
The United Nations web site [1] has been defaced this morning. (screenshot)
The speeches of the Secretary-General Ban Ki-Moon [2] have been replaced with the following lines:
Hacked By kerem125 M0sted and GsyThat is CyberProtest Hey Ýsrail and Usadont kill children and other peoplePeace for everNo warscreenshot
While most of us may agree with the message, many will object to the spelling, and specifically to the dont used instead of don’t.There’s a technical reason for the missing apostrophe, though, because messing with this very character (’) is part of the technique apparently used by the attackers.As you can easily verify by opening this URL, the site is vulnerable to an attack called SQL Injection.This is a very well known kind of vulnerability, fairly easy to avoid and very surprising to find in such a high profile web site. [3]
If only prepared SQL statements were used properly, this embarrassing incident would have been easily prevented.And yes, prepared statements are available even in the very obsolete ASP “Classic” + ADODB Microsoft setup they’re using. (screenshot)
I will write some other time about prepared statements and database layer security.In the meanwhile, if you’re a planetary organization and you’re planning to cut the budget for the security training of your web developers staff, please dont… er… do not