In what's become a yearly blogpost, the UN still has not fixed the SQL injection problems that led to their website being hacked back in 2007.
They have finally fixed the specific bug that led to their website being hacked (maybe because my blogpost last year was Slashdotted), but the site is full of similar SQL injection bugs. For example, if you click on "print this article", then use that URL instead, the SQL injection still works. This is shown in the picture below (using the URL http://www.un.org/apps/news/infocus/sgspeeches/print_full.asp?statID=10'5):
(This example doesn't hack the UN site -- it just shows how the site can be hacked.)
I look forward to next year's post.
Post a Comment