UN's website still vulnerable after 4 years

More than four years ago, the UN website was hacked via SQL injection. They haven't fixed their problem since then, which I've pointed out over and over and over. This last week, #Anonymous hacked them yet again using the same technique. If, after 4 years, the UN still can't protect their website, it's unlikely that they ever will.

But SQL injection is the easiest of all bugs to fix: simply stop treating data as code (use parameterized queries instead). The difference between the correct way, and the wrong way, is obvious and impossible to miss. Most hacker attacks are hard to understand, and hard to fix, but SQL injection isn't one of those.

UN's website still vulnerable after 3 years

In what's become a yearly blogpost, the UN still has not fixed the SQL injection problems that led to their website being hacked back in 2007.

They have finally fixed the specific bug that led to their website being hacked (maybe because my blogpost last year was Slashdotted), but the site is full of similar SQL injection bugs. For example, if you click on "print this article", then use that URL instead, the SQL injection still works. This is shown in the picture below (using the URL http://www.un.org/apps/news/infocus/sgspeeches/print_full.asp?statID=10'5):

(This example doesn't hack the UN site -- it just shows how the site can be hacked.)

I look forward to next year's post.