Page 38 - index
P. 38
Web Injections – When Good Applications Go Bad
By Mike Walls
WordPress is the backbone of one in every six websites on the Internet, over 70 million in all,
including sites for major media companies and commerce worldwide. Its free cloud-based
service enables anyone to easily create a website, and attract over 330 million viewers of 3.4
billion pages each month. Visitors log in to many of these pages with usernames, passwords,
email addresses, credit card numbers, and other sensitive information.
On November 21, a WordPress SP client manager 2.4.1 SQL injection vulnerability was
exposed, subject to exploitation when logged in as an anonymous user. This vulnerability allows
cyber criminals to access usernames and passwords stored in a website’s database. Another
flaw in WordPress Statistics plugin could let adversaries inject JavaScript into the “comments”
field, which could provide further access to a website database. This flaw has existed for years
in versions 3.0 through 3.9.2. Because most WordPress users are focused on their businesses
and not on website security, many may not be aware of the seriousness of these vulnerabilities
if they are aware of them at all.
On October 29, 2014 the Drupal Security Team issued a security advisory related to the popular
open source content management system (CMS) for over a billion websites. The public service
announcement advised their 12 million customers to update their software immediately due to
SQL injection attacks. Drupal’s announcement stated:
“Automated attacks began compromising Drupal 7 websites that were not patched or updated to
Drupal 7.32 within hours of the announcement of a SQL injection vulnerability (SA-CORE-2014-
005). You should proceed under the assumption that every Drupal 7 website was compromised
unless updated or patched before October 15, 11pm UTC.”
The Drupal vulnerability allowed hackers to use SQL injection to breach core code intended to
prevent such attacks, and then take control of a website database. It’s worth noting that once a
web server has been compromised, the patch is rendered ineffective because the adversary
has already exploited the vulnerability which the patch is intended to address, and has likely
established a foothold in the target network.
Injections Affect Millions
This exploit is similar to the one used in the JP Morgan breach, where adversaries stole
sensitive information of 83 million clients. According to media reports, an employee for JP
Morgan’s Corporate Challenge event who had administrative privileges used the same
computer at home and on the company network, and inadvertently compromising the website’s
security certificate as well as exposing participating employee usernames, passwords and email
addresses. Adversaries then gained access to 90 of the bank’s servers using the stolen
credentials exfiltrated from the Corporate Challenge’s compromised website.
Website vulnerabilities are especially alarming because of the plethora of information that is
stored in website back end databases. Every time we input information into a website form, we
rely on the owner of the website to secure our information. Consider the fact that website data
38 Cyber Warnings E-Magazine – January 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
