Vulnerabilities Disclosed on Sun Websites

The hackers who disclosed vulnerabilities in MySQL.com also published details about SQL injection flaws in older Sun Microsystems websites.

Sun Microsystems was acquired by Oracle at the beginning of 2010 and its products were integrated into the latter's portfolio.

However, given the sheer size of Sun many of its web properties still need to be moved under Oracle's brand and some have been neglected security-wise.

Such is the case of reman.sun.com and ibb.sun.com, two sites dedicated to remanufactured systems and spare parts.

Although some might think that hacking such sites has little value, Romanian hacker TinKode's proof-of-concept attack shows their databases can still contain sensitive information.

In his report, TinKode publishes a list of tables and columns taken from the remandb database, as well as a list of email addresses found inside.

SQL injection is the result of insufficient input validation in forms that interact with databases. By exploiting such vulnerabilities, attackers can gain unauthorized read and write access.

SQL injection is a very dangerous attack vector that can be leveraged in various ways, depending on the attacker's intentions.

For example, it can be used to extract sensitive information about users, such as usernames and passwords. As past incidents have shown, due to password reuse habits, such credentials can allow hackers to also access accounts on other websites.

Another possibility is to inject rogue code into Web pages by modifying database tables that hold information about the site's content. And finally, a successful SQL injection attack can be used as entry point into an internal network. This was the method used by notorious hacker Albert Gonzales to hack into payment processors and steal millions of credit card details.