Update 2:
Researcher discloses SQL Injection flaw on barackobama.com.
Thanks to some detailed research from Dan, who left a link in the comments, and Unu who updated his post with details; there is more to this story than originally written. While President Obama’s site did have some issues, as mentioned on Praetorian Prefect, they’re not catastrophic, and they were recently fixed.
“It is not nearly as headline grabbing as the potential to steal login credentials from Obama donors, but until it was corrected at some point recently, the ability to redirect to any web site from donate.barackobama.com or any of the other sites mentioned above was not a good thing,” the research on Praetorian Prefect noted.
You can follow the link to Praetorian Prefect to read all of their research. If you have been following this situation, it’s a good read.
Unu has added a few more images in his update this morning as well. The link blow will lead to it. So for the record, our speculation that the two sites mentioned were on the same server was incorrect. If there is new information, we’ll keep updating, but for now its likely safe to call the issue closed.
Update:
Jascha Franklin-Hodge, CTO at Blue State Digital, responded to our earlier questions with the following.
"As we treat all security issues with the utmost seriousness, we have been working closely with Organizing for America to investigate this alleged SQL injection problem. After careful review, we are confident that the screenshot included in this bug does not contain any data from the barackobama.com site or any other site hosted by Blue State Digital, the DNC, or Organizing for America."
"The screenshot, per the "KeyWord" box, appears to be related to a "Roosevelt University Calendar Events," not a site that is hosted by Blue State Digital, nor connected with barackobama.com. Microsoft Access is not used in any capacity on the barackobama.com site or servers."
This statement only adds a little more weight to our earlier assumption. Unu has apparently accessed a database on the same server that is unrelated to President Obama’s site. We’ve asked Blue State Digital to confirm if this is in fact the case.
If so, we asked why an SQLi from President Obama's site allowed access to the Access database.
The answer given was firm, "There is no SQL injection issue on our servers or those hosting/related to the barackobama.com site. We do not run Microsoft Access anywhere in our organization, nor do we (or DNC/OFA) run or host to any calendar at Roosevelt University."
It was suggeted that we talk to Unu, who made the allegation in the first place. We've done so and if we hear back, we'll update this story again.
Original Article:
Unu, the researcher responsible for several site vulnerability disclosures in the past, says there are SQL Injection (SQLi) flaws on barackobama.com. He said these flaws allowed him to access usernames and passwords used on the President's domain. At the same time, the DNC disagrees with him, saying that the information provided is based on incorrect assertions.
According to the blog post by Unu, an unsecured parameter in President Obama’s personal domain leads to the SQL Injection, allowing access to the database on the server. Interestingly enough, the database accessed in his example was a MS Access database. MS Access is a database format often rejected by developers on massive Web projects.
“We have a table admin. And in this table we can see that the admin passwords are in PLAIN TEXT! The website is big, with many sections, and there are 19 admins. What else we need to get full access on the website? Nothing. After we log in as admins, we can virtually do anything we want with the website: upload PHPShells, redirects, infect pages with Trojan droppers, [and even deface the whole website],” Unu wrote.
We emailed Blue State Digital for comments. Blue State Digital is the firm responsible for hosting and design on President Obama’s site. In the past, when sites linked to Obama were vulnerable to attack, due to simple configuration mistakes, they were the ones to deal with the issue. At the time this article goes live, we haven’t heard back on our request for a comment and information. In addition, we’ve also asked Unu for more information. While researching, we spoke to the DNC (Democratic National Committee) about the issues.
In a statement, Hari Sevugan, a DNC spokesperson said, “We take seriously and look closely at any reported incident. Based on the number of incorrect assertions, we do not think that this information is crediable. There has been no security breach.”
Those incorrect assertions were not available for public consumption, as the DNC would not get into details regarding the infrastructure that supports barackobama.com, citing security concerns. This means we were unable to get information about MS Access usage or any of the names listed. The DNC simply will not go into any of the backend operations.
Unu has posted vulnerability details in the past, including flaws on sites owned or operated by Citizens Bank, RBS WorldPay, HSBC, IHT, and several security vendors. He has a good reputation when it comes to the validity of his findings. So the idea that the DNC absolutely refutes them is both expected and a little odd.
While this is pure speculation on our part, perhaps the DNC is correct. It is possible that Unu has in fact accessed the database for a different site entirely that resides on the same server. If this is the case, then he has opened a completely new can of worms.
We’ll keep this article updated as new information comes in.
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Advertising
Comment on this Story