Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Application vulnerability exposes public data.

Fortify : 18 April, 2008  (Technical Article)
The US State of Oklahoma has been the victim of SQL injection vulnerability allowing thousands of its resident's data to become exposed.
Residents of Oklahoma State have reportedly been hit this week with the bad news that tens of thousands of their names, social security numbers and allied data were effectively available on the Web for around three years.

The source of the problem, says Fredrick Lee, a software security researcher with Fortify Software, the application vulnerability specialists is poor coding on the state's Department of Corrections Web site.

'This is a classic SQL injection vulnerability,' he said, adding that, in this case, the security lapse could easily have been caught with a simple code review.

According to Lee, had some form of automated analysis been part of the release procedure for this Web site, the incident could have been avoided.

'The sad thing is that vulnerabilities like these indicate to attackers that other related applications and organizations are probably vulnerable as well,' he said.

According to newswire reports, anyone with a basic knowledge of SQL programming could interpret the URL and other data returned by the Oklahoma DoC Web site.

Then, by the simple process of amending the long URLs returned by the site, they could retrieve tens of thousands of social security numbers and their allied data from the site.
Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo