Jon Hickman a user of the Guardian Jobs website says: “I was surprised that this incident has passed with so little comment. Guardian Jobs must have many thousands of members, and this security breach could be effecting them all in a very real way, yet I haven't seen much in the way of a backlash.”
PayChoice, one of America’s largest payroll organizations with 125,000 business customers relying on their payroll services, were the victim of two separate SQL injection attacks in a short period of time. PayChoice have subsequently shut down their online portal all together because of the attacks. The SQL injection vulnerability itself was in the password reset function on one of their login pages. It is quite common for developers to go all out in securing their main login functionality and forgetting all about the “forgot/change password” functionality.
If we take look at the following example:
WHERE email = '1' OR name LIKE '%John%';
The above SQL injection attack acts like a mini search engine, looking for a user in the database with the name field LIKE ‘John’. If the above SQL injection attack was used in a change password function on a login page and the database contained a user called John the website would output a successful message, something along the lines of “Your password has been sent to firstname.lastname@example.org” giving us a valid user and their email address to carry out further injections or other attacks.
SQL injection has been a big headache to many organizations throughout 2009, and will likely still be a headache for the foreseeable future. The countermeasures are out there, use them!
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.