SQL Injection discovered on Wall Street Journal (Update)

by Steve Ragan - Dec 4 2009, 19:51

Update 2:

The WSJ has emailed us to report that the vulnerability was corrected. In addition, they are emailing the following to everyone who registered on the CEO Council site.

"We are writing to inform you that there has been a security breach on the Web site for The Wall Street Journal's CEO Council (http://ceocouncil.wsj.com). Rest assured that no credit card or other financial information is stored on the site, so the data that was exposed is limited to contact information only. No financial information is ever kept on the CEO Council site. We wanted to notify you immediately about this situation as a precautionary measure."

"The Web site is hosted by a third party and is not on our internal systems that host the majority of the Journal's Web operations. At this point, we have had the vendor shut down the vulnerable parts of the site. The security and privacy of our members are of utmost importance, and we take it very seriously. You have our assurance that we have taken every measure to correct the problem and prevent it from happening again."

Update: Some interesting technical background on this can be seen over at Praetorian Prefect. [Link]

Original Article:

Just four days after disclosing serious issues in INCA Internet’s (nProtect) website, Unu is at it again. This time he is posting details about SQL Injection (SQLi) flaws discovered while poking around on the Wall Street Journal domain, which are just as bad as his discoveries on nProtect.

Unu started his research on the CEO Council section of the WSJ, and unearthed that the Ubuntu server hosting the database was allowing the load_file parameter, which means there is the chance an attacker could use this option to serve Malware to end users or upload shell scripts for a total compromise of the server.

This option was also discovered when he disclosed the problems on nProtect’s site. Moreover, he discovered the master username for the WSJ database (admin) with a weak password stored in the clear.

Adding to the problems for the WSJ database is the discovery of the user ffi2009uk, which uses the (%) wildcard, meaning that there is a chance to connect to this account from any IP address and it would be allowed. The password for the account would pose no problem for an attacker, as it is blank.

Other interesting nuggets of information include the personal information (phone, address, and names) of various press members, as well CEO Council member names and passwords stored in the clear. The names here, Unu noted, were business CEOs as well as Senators. (The screenshot did not show any information on the elected officials, but just a sample of usernames and passwords.)

We’ve emailed the Wall Street Journal for comment, as well as to check on the status of the SQLi discovery. If they respond we will update this article. According to Unu, they were contacted about the flaws before his post went live, and he is hopeful they have fixed them by now.

The screen captures from the disclosure can be seen here.

 

Around the Web