SQL injection reveals gaping security holes

Dec 3, 2009 10:59 GMT  ·  By
The Wall Street Journal CEO Council website riddled with security holes
6 photos
   The Wall Street Journal CEO Council website riddled with security holes

A Romanian grey hat hacker has disclosed a serious SQL injection vulnerability on the Wall Street Journal's CEO Council website. The research outlines serious oversights and poor security practices that can lead to full web server compromise.

The Wall Street Journal (WSJ) is one of the top newspapers in the United States and since October 2009, it has the largest circulation in the country, surpassing USA Today. Its primary focus is on business-related news and editorials.

The newspaper's expansion into the World Wide Web, dating back to 1996, has been similarly successful. Its website, wsj.com, is one of the most profitable online news websites in the world, charging subscription fees for access to content.

The vulnerability discovered by a security enthusiast known online as Unu, affects the ceocouncil.wsj.com website. The Wall Street Journal CEO Council is a working session organized by the newspaper, where over one hundred high-profile CEOs, policy makers and members of the U.S. Congress get together to discuss issues of great importance for the country.

As it is the case with all SQL injection attacks, a poorly secured parameter can be exploited to obtain unauthorized access to the underlying database of the website. This alone is a significant security breach, but in the case of this WSJ website, it is even more serious due to other mistakes made by its administrators.

First of all, the load_file function is allowed, which means that if an attacker can find a writable directory and upload a PHP shell, it can execute it and gain entire control of the entire server. From that point forward, the attack possibilities are virtually endless and the website can be manipulated in any way.

As far as the MySQL database server is concerned, Unu identified a user called "ffi2009uk," who had "%" as allowed host and no password set. "This means that from any IP we can connect to [the] MySQL server on his account without any password. Unbelievable!!!" he notes.

Furthermore, inside the website's database, the password for the administrative account, as well as those associated with the accounts of CEO Council members are stored in plain text, which is a highly insecure practice. Additionally, personal information about journalists and media contacts, such as names, addresses, telephone numbers and the organizations they work for, can be accessed through this vulnerability.

According to Unu, he notified the website's administrators about the problems before making them public on his blog. As far as we can tell, the website is currently offline. The Romanian hacker is known for having found similar vulnerabilities in numerous high-profile websites. His previous disclosure involved an SQL injection flaw on a Symantec website, but The International Herald Tribune, The Daily Telegraph or the UK Parliament were also amongst his victims.

Photo Gallery (6 Images)

The Wall Street Journal CEO Council website riddled with security holes
WSJ CEO Council MySQL server informationWSJ CEO Council MySQL server insecure user
+3more