Giuliani Web Site Flaw Finally Fixed - Democratic Underground

The Straight Story

(1000+ posts) Send PM | Profile | Ignore

Tue Mar-27-07 12:29 AM
Original message

Giuliani Web Site Flaw Finally Fixed

Giuliani Web Site Flaw Finally Fixed

(CBS/AP) WASHINGTON Rudy Giuliani's presidential campaign has fixed its Web site to remove a dangerous design flaw that could have allowed hackers to expose personal information submitted by volunteers.

The vulnerability affecting JoinRudy2008.com could have exposed confidential information stored in the campaign's databases. The Web site failed to block commands that can instruct it to improperly display sensitive information.

The campaign fixed the Web site hours after The Associated Press notified it about the problem today. It says no personal information was compromised.

http://wcbstv.com/topstories/local_story_085212655.html

Hmmmmm.....

Printer Friendly | Permalink | | Top

GregD

(1000+ posts) Send PM | Profile | Ignore

Tue Mar-27-07 01:00 AM
Response to Original message

1. probably a sql injection vulnerability

Printer Friendly | Permalink | | Top

The Straight Story

(1000+ posts) Send PM | Profile | Ignore

Tue Mar-27-07 01:05 AM
Response to Reply #1

2. You are most likely correct

I do .net/perl development and mssql admin work - soooo many people have not tied up that loose end :)

Printer Friendly | Permalink | | Top

Syrinx

(1000+ posts) Send PM | Profile | Ignore

Tue Mar-27-07 01:21 AM
Response to Reply #1

3. what's that?

I know what SQL is, but what is an "injection vulnerability?"

Printer Friendly | Permalink | | Top

The Straight Story

(1000+ posts) Send PM | Profile | Ignore

Tue Mar-27-07 01:25 AM
Response to Reply #3

4. Easier if I just quote someone else (basically, injecting a query):

1.1 What is SQL Injection?
It is a trick to inject SQL query/command as an input possibly via web pages. Many web pages take parameters from web user, and make SQL query to the database. Take for instance when a user login, web page that user name and password and make SQL query to the database to check if a user has valid name and password. With SQL Injection, it is possible for us to send crafted user name and/or password field that will change the SQL query and thus grant us something else.

1.2 What do you need?
Any web browser.

2.0 What you should look for?
Try to look for pages that allow you to submit data, i.e: login page, search page, feedback, etc. Sometimes, HTML pages use POST command to send parameters to another ASP page. Therefore, you may not see the parameters in the URL. However, you can check the source code of the HTML, and look for "FORM" tag in the HTML code. You may find something like this in some HTML codes:
<FORM action=Search/search.asp method=post>
<input type=hidden name=A value=C>
</FORM>

Everything between the <FORM> and </FORM> have potential parameters that might be useful (exploit wise).

http://www.securiteam.com/securityreviews/5DP0N1P76E.html

Printer Friendly | Permalink | | Top

Syrinx

(1000+ posts) Send PM | Profile | Ignore

Tue Mar-27-07 01:40 AM
Response to Reply #4

5. thanks!

I think I have a vague understanding now. And that is good enough for me. :)

Printer Friendly | Permalink | | Top

DU AdBot (1000+ posts)

Sat May 04th 2024, 04:05 PM
Response to Original message

Advertisements [?]

Top

Powered by DCForum+ Version 1.1 Copyright 1997-2002 DCScripts.com
Software has been extensively modified by the DU administrators

Important Notices: By participating on this discussion board, visitors agree to abide by the rules outlined on our Rules page. Messages posted on the Democratic Underground Discussion Forums are the opinions of the individuals who post them, and do not necessarily represent the opinions of Democratic Underground, LLC.