Ravi Kariya, a Security Analyst from Cyber Octet Pvt. Ltd (facebook.com/cyberoctet) has discovered critical vulnerabilities in the official website (divyadutta.co.in) of famous Indian Actress Divya Dutta.
There are two SQL Injection vulnerability in the website. One of the vulnerabilities resides in the Press Clips page of the site(divyadutta.co.in/pressclipdetail.asp?id=7). A malicious hacker can exploit this vulnerability and extract the database .
The other one is more critical one , it allows hackers to bypass authentication of the Login . A malicious hacker can login into the website as admin(divyadutta.co.in/admin/) . This can be done by injecting the crafted password that will modify the sql query such that it allows hacker to login.
There is also Cross site scripting vulnerability in the contact us page(divyadutta.co.in/contact.asp ) . Injecting the follow code in the fields and clicking the submit button executes the injected code:
"><script>alert('My Love For Divya Dutta')</script>
Ravi tried to contact the Divya dutta via email and Twitter but she fails to respond for his query. It seems like that She doesn't realize the severity level of this security flaw. A BlackHat hacker is able to deface the site with these vulnerabilities.
I think she will respond after some blackhats attack the site, what do you think guys?
*Update*
After E hacking news published news about the vulnerability, the admin pulled down the divya dutta site. Now the site displays the following error message:
"Directory Listing Denied.This Virtual Directory does not allow contents to be listed."
