By Kelly Jackson Higgins
Aug 23, 2010
Three years after the United Nations' website was defaced by activist
hackers using a SQL injection attack, the site still contains multiple
instances of these vulnerabilities.
Security researcher Robert Graham, CEO of Errata Security, did his
now-annual checkup on the UN site and found that while the UN had
removed the bug that was exploited in the August 2007 attack, the site
is still rife with multiple SQL injection vulnerabilities.
In the 2007 defacement, attackers replaced then-Secretary General Ban
Ki-Moon's speeches with some of their own calling for "peace forever"
and "no war." The attackers exploited a SQL injection bug.
"In what's become a yearly blogpost, the UN still has not fixed the SQL
injection problems that led to their website being hacked back in 2007,"
Graham blogged today. "For example, if you click on 'print this
article', then use that URL instead, the SQL injection still works."
Subscribe to InfoSec News - www.infosecnews.org