By Kelly Jackson Higgins
Jan 12, 2010
Romanian hackers continue to have a field day with SQL injection flaws
in major Website applications: A vulnerability in a U.S. Army Website
that leaves the database wide open to an attacker has now been exposed.
"TinKode," a Romanian hacker who previously found holes in NASA's
Website, has posted a proof-of-concept on his findings on a SQL
injection vulnerability in an Army Website that handles military
housing, Army Housing OneStop. TinKode found a hole that leaves the
site, which has since been taken offline, vulnerable to a vulnerable to
a SQL injection attack. "With this vulnerability I can see/extract all
things from databases," he blogged.
TinKode was able to gain access to more than 75 databases on the server,
according to his research, including potentially confidential Army data.
He also discovered that the housing site was storing weak passwords in
plain text. One password was AHOS, like the site's name.
"Four-character passwords that are the same name as the database table
names are inexcusable," says Robert "RSnake" Hansen, founder of
Did a friend send you this? From now on, be the
first to find out! Subscribe to InfoSec News