And this time it's not a partner's website

Feb 16, 2009 09:29 GMT  ·  By

The Romanian hacker going by the handle of "unu" has announced a new SQL injection vulnerability affecting the website of Bitdefender antivirus. However, this time around the flaw is on the company's main website and not on one maintained by a reseller.

During the previous week, a Romanian ethical hacking outfit known as HackersBlog kept antivirus vendors on their toes. In a matter of days, hackers associated with the group disclosed SQL injection vulnerabilities affecting the US support site of Kaspersky Labs, the website of a Bitdefender partner in Portugal, and the statistics section of the website belonging to F-Secure.

The hacker who took credit for the proof of concept attacks on Kaspersky and bitdefender.pt has returned with a new hit on news.bitdefender.com. According to "unu" (meaning "one," or "someone" in English), a vulnerable parameter on the Bitdefender news website allows for access to the database.

The post is only published in Romanian, and the attack is not fully documented, because, according to the hacker, it is only a warning message to the Bitdefender team and not a full disclosure. "Thus, knowing that they read us, I will announce them that they have a vulnerable parameter, which this time is not on a website of some partner, but on the company's main website itself," the hacker writes (translated).

"Unu" explains that he has chosen a blog post to reach Bitdefender because he couldn't find a contact e-mail on the website. "It's frustrating and very annoying at the same time that a company of Bitdefender's size does not have a contact e-mail on its website. In the contact section one can send a few lines to the webmaster, for example, which I did. I did not get an answer and the vulnerability persists," he says.

The hacker also points out that the entire news section of the website is acting weird when tested with the "trivial" sqli test. In keeping with the few published details and included screenshots, the website is powered by an Apache 2.0.52 webserver, with PHP 4.3.9, running on a Linux Red Hat Enterprise 4 machine, while the database backend is PostgreSQL.

"Full story about a new sql injection in bitdefender.com will be posted soon," is noted at the beginning of "unu"'s post, and he makes it quite clear that "I will not publish too many [details]. I'm waiting for the problem to be solved [first]."

Therefore, it will be interesting to see Bitdefender's reaction this time, as it did not assume responsibility for the previous SQL injection vulnerability on bitdefender.pt, hiding behind the fact that the website was fully maintained by another company, which was licensed to sell its products in Portugal. Even so, some people have argued that it should have routinely performed security audits on its partner's website, since it used its name, logo and page layout. Kaspersky and F-Secure have been pretty open about the incidents that affected them, and noted that they have learned something from them. Kaspersky Labs even hired a database security expert to review all its websites.