Unu is at it again, this time pointing out some interesting SQL flaws on INCA Internet, better known as nProtect. nProtect offers anti-Virus, anti-Spyware, game security and unified IT security products all over the world, but mostly in South Korea where they are headquartered. The flaws discovered by Unu allowed not only direct access to the nProtect databases, but the load_file option as well.
Serious SQL flaw exposed on INCA Internet portal.
Mostly SaaS-based, nProtect offers almost 30 million users, “…an Innovational Online PC Security solution for websites to run in the user’s PC without an installation to protect the users from hacking attempts, information theft through Trojans and backdoors, and other threats.”
This came as a shock according to Unu, who wondered how they were protecting others, “when even the creator application is unable to protect its own database.”
The initial probe of the database, seen below, offered a wealth of information on the databases available, as well as something Unu flagged as a serious mistake.
“Not only is the website vulnerable to SQL Injection but it also allows load_file to be executed making it very dangerous because with a little patience, a writable directory can be found and injection a malicious code we get command line access with which we can do virtually anything we want with the website: upload phpShells, redirects, infect pages with Trojan Droppers, even deface the whole website,” Unu said.
Using Google, Unu discovered that it was possible to login as an administrator, allowing for more unauthorized control. While other SQL Injection flaws discovered by Unu in the past are serious in their own right, the issues discovered on INCA Internet take the cake. There was really no limit to the amount of data that could be collected, or the actions available for an attacker to take who discovered this flaw. According to Unu, millions of passwords and customer records were exposed.
The only plus side is that according to a spokesperson, they fixed the flaws quickly.
“Our entire organization is dealing with the issue on an emergency level and we have immediately taken actions to secure the web page vulnerabilities,” they said in an email sent to The Tech Herald.
However, the email wasn’t a statement. They were asking us to share Unu’s contact information. After the initial decline to send them said information, they offered their reasoning as to why they wanted to contact him.
"We would like to kindly and sincerely request to Unu that the article be taken down…We are responding to the situation with the security of our customer's personal information as the top priority. Therefore, the cooperation of Unu on taking down this issue would be much appreciated. We would like to know Unu's thoughts on our request and hope we may get a reply. Thank you, Steve, for your cooperation and prompt response," the email from nProtect said in part.
In the end Unu said we were free to release his contact details to them, despite the fact that they already had them, as he made contact before his findings were published.
Screen captures detailing the SQL flaws are on Unu’s blog, which is here.
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Advertising
Comment on this Story