Romanian hackers have discovered a security flaw in the website of anti-virus provider BitDefender. They said it was the second time in a week the company has inadvertently exposed a database that is supposed to remain private. According to an item posted to HackersBlog, BitDefender's main website can be tricked into disclosing …
This is why you use a hosting company!!!
This is the main reason why you use a hosting company that will just host your website and nothing else. This way nothing gets lost or no loss of database full of peoples numbers DOB and such.........
Seems like Bit Defender needs to run their software on their own server.
Glad I don't use BitDefender
Really, if they can't protect themselves from a simple SQL injection attack, how can I trust them to safeguard my data?
If your web page is vulnerable to a SQL injection attack, it doesn't matter where the SQL server is hosted (the web server must still be able to access it). OTOH if you just want a static web server providing plain vanilla HTML, then you may have a point.
The answer to SQL injection is proper validation of all input strings - 'simple' as that.
Preventing SQL injection is not rocket science!
I can't believe that a professional security site has allowed itself to be exploited by this kind of attack. It's a simple matter to validate all input that will be used as part of an SQL query. Here's a couple of very basic, quick and dirty (PHP) examples:
1) Wherever possible, limit parameters passed from the client to numeric index and key references. This then allows you to use the simple regex:
$param = preg_replace("/\D/g", "", $_POST['param']);
to remove all non-numeric characters from the parameter before it gets anywhere near your database.
2) When you do need to parse textual parameters, you can either use:
$param = mysql_real_escape_string($_POST['param']); // or run this through the SQL interpreter directly for other languages
or you can manually replace all dangerous non-alphanumeric characters with their HTML entity equivalents:
$sqlinj = array("\'", "\"", "(", ")", "=", "\\", "<", ">"); $sqlrep = array("'", """, "(", ")", "=", "", "<", ">");
$param = str_replace($sqlinj, $sqlrep, $_POST['param']);
While these are not the be-all and end-all, they will stop most attempts at SQL injection in their tracks. Any two-bit programmer worth his diploma can figure this out. There's no excuse for BitDefender to not have implemented at least this basic level of protection!
Uh...These Are **Security Specialist** Corps!!!
God Help Us.
"Here, use this nice cool gasoline to put out your house fire."
AVG is also shit.
I've found Avast AV excellent -- rock solid program and definition updates daily. Other, also better stuff exists as well.
God I swear the next person that says the solution to SQL injection is input validation/sanitation alone I'm going to smack.
Has nobody heard of binding in their SQL anymore?!
It's just an search database, it doesn't seem to harm.
i use bitdefender !!
doesnt really effect me to much as a end user, 1 more spam mail in the box.
but i will defend the product they supply i am extremly happy with it.
Oh I just love a secure anti virus site
Damn I glad I use Avast
I'm with Anonymous on this one. Why on earth are web developers letting the presentation layer access data in the database layer at all? That's what stored procedures and parameters are for.
Nice snippets. Often easier (and cheaper on resources) than using preg_replace to strip non-numerics is to just cast the input as an integer;
$numeric_param = (isset($_GET['myparam']))? (integer)$_GET['myparam']: 0;
Why this stuff happens ...
I know people who have started jobs as web developers amazed at the level of incompetence show by the previous developers ... only to be forced to produce equally low quality code.
Each new project they are told to get the site up and running as fast as possible and not to worry about testing, documentation, security .... once the project is completed they will be given a chance to go back and clean up and properly document the code.
HackersBlog says that it is the News Section, no private data!
It seems that no private data was exposed, it's just about the news, virus description section as you see in the screenshot. I think they made an update saying that "The paramter is in their news section and it has a strange behaviour if you test it with the all too common by now, SQL Injection". I think the only thing they can do there is to download all the news and virus description togheter :)
So why is there a title that says "Hackers: BitDefender site exposes private data (yet again)", if there isn't any private data?
- Leaked screenshots show next Windows kernel to be a perfect 10
- Amazon warming up 'cheapo web video' cannon to SINK Netflix
- Something for the Weekend, Sir? I need a password to BRAKE? What? No! STOP! Aaaargh!
- Episode 13 BOFH: WHERE did this 'fax-enabled' printer UPGRADE come from?
- Vulture at the Wheel Ford's B-Max: Fiesta-based runaround that goes THUNK