It is known by many as February 7, 2009 I found a SQL Injection vulnerability in Kaspersky USA . When security sites and databases Kaspersky has been audited by an uber specialist, David Litchfield . But it seems that the story of vulnerabilities continue … This time parameter is vulnerable on a page in Malaysia and in Singapore . The vulnerability affects all databases in Southeast Asia.
“ Kaspersky Lab is a computer security company, co-founded by Natalya Kaspersky and Eugene Kaspersky in 1997, offering anti-virus, anti-spyware, anti-spam, and anti-intrusion products . Kaspersky Lab is a privately held company headquartered in Moscow, Russia with regional offices in Germany, France, the Netherlands, the UK, Poland, Romania, Sweden, Japan, People’s Republic of China, South Korea and the USA.” … can read the wiki about Kaspersky.
So Kaspersky is one of the biggest companies selling Internet Security and antivirus products. Products should be to defend against attacks from outside, against hack against illegal accessing our computer and our data to others. But what expectations we have of a product whose producer is unable to secure, to defend its own database? .. I ask rhetorically.
Vulnerable parameter gives us full access to databases on the server. Databases that contain personal data and logging of user, administrator, activation codes for various licenses, order and shop details, etc .. Compared to Symantec, even here the passwords are stored in encrypted form .. added to Kaspersky. Gloves, however, a HUGE mistake, is that the number of hits in the results page is not restricted, as in the page appear and up to 10,000 results for a single sql query . What makes it easy for a hacker who wants to steal, to save the data.
In the first two picture we have the server version and some of the databases we access the server. First for domain com.my, Malaysia.
And for domain com.sg, in Singapore. Although they are two different domains, databases are identical, being on the same MySQL server. Another big mistake in my opinion. A corporation should Kaspersky size to afford an SQL server and a separate database for each area.
In the third picture we have user, the password for the MySQL server, and host (IP address from which you can log those users). We see another big mistake. Many users have % the host. When you decode the password that we can log on MySQL server from any IP. For example user password phXXXX, * A1F1CB851D62F002C09A0C9C4A76262473432F55, highlighted in red in the print screen is decoded: !QAZ2wsx ( I replaced some point in the username with X’s )
In the following print screen, we can see members personal data : name, address, email and their password in encrypted form.
The penultimate picture, we have the administrator password, just in encrypted form. Password gives us access not only the website but the shop site. Unbelievable how the admins of large sites so important, choose easy passwords . For example av3XXX Admin password in encrypted form is e99a18c428cb38d5f260853678922e03 and decrypted abc123. ( I replaced some point again in the username with X’s ) But another huge mistake, well look how many admins (users with admin rights) have the same password .
And last print screen appear serials, activation codes for various products Kaspersky (KIS, KAV, etc). Their number exceeds 12,900 .
출처 : http://unu123456.baywords.com