YAPES...
Another day: YAPES (Yet Another Painful SQL Injection). This time the victim is Symantec Corporation as discovered by Unu earlier today in his blog.
Most recently Unu made waves by claiming to have hacked BarackObama.com, a claim disputed by the Democratic National Committee's national press secretary Hari Sevugan.
Looking through the screenshots Unu's findings look authentic to me. Whether you think that Northwind database is important to Symantec or was just left from a default database installation, Unu's findings proves again that SQL injection can hit everyone, everywhere at any time. Taking active measures should be a top priority.
More then ever, Injection attacks in general and especially SQL Injection are the most serious threat to web application. It is now listed at #1 threat on the OWASP top 10 list (see OWASP Top 10 Application Security Risks –2010 RC1 here)
Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data.
Protecting online applications and data against sophisticated application-level attacks like SQL Injection and Cross-site Scripting should be everyone's concern. Unu shows (again) how simple it is.
You can follow this conversation by subscribing to the comment feed for this post.
