Hackers: BitDefender site exposes private data (yet again) Romanian hackers have discovered a security flaw in the website of anti-virus provider BitDefender. They said it was the second time in a week the company has inadvertently exposed a database that is supposed to remain private. According to an item posted to HackersBlog, BitDefender's main website can be tricked into …
This is the main reason why you use a hosting company that will just host your website and nothing else. This way nothing gets lost or no loss of database full of peoples numbers DOB and such.........
Seems like Bit Defender needs to run their software on their own server.
If your web page is vulnerable to a SQL injection attack, it doesn't matter where the SQL server is hosted (the web server must still be able to access it). OTOH if you just want a static web server providing plain vanilla HTML, then you may have a point.
The answer to SQL injection is proper validation of all input strings - 'simple' as that.
I can't believe that a professional security site has allowed itself to be exploited by this kind of attack. It's a simple matter to validate all input that will be used as part of an SQL query. Here's a couple of very basic, quick and dirty (PHP) examples:
1) Wherever possible, limit parameters passed from the client to numeric index and key references. This then allows you to use the simple regex:
$param = preg_replace("/\D/g", "", $_POST['param']);
to remove all non-numeric characters from the parameter before it gets anywhere near your database.
2) When you do need to parse textual parameters, you can either use:
$param = mysql_real_escape_string($_POST['param']); // or run this through the SQL interpreter directly for other languages
or you can manually replace all dangerous non-alphanumeric characters with their HTML entity equivalents:
$sqlinj = array("\'", "\"", "(", ")", "=", "\\", "<", ">"); $sqlrep = array("'", """, "(", ")", "=", "", "<", ">");
$param = str_replace($sqlinj, $sqlrep, $_POST['param']);
While these are not the be-all and end-all, they will stop most attempts at SQL injection in their tracks. Any two-bit programmer worth his diploma can figure this out. There's no excuse for BitDefender to not have implemented at least this basic level of protection!
I know people who have started jobs as web developers amazed at the level of incompetence show by the previous developers ... only to be forced to produce equally low quality code.
Each new project they are told to get the site up and running as fast as possible and not to worry about testing, documentation, security .... once the project is completed they will be given a chance to go back and clean up and properly document the code.
It seems that no private data was exposed, it's just about the news, virus description section as you see in the screenshot. I think they made an update saying that "The paramter is in their news section and it has a strange behaviour if you test it with the all too common by now, SQL Injection". I think the only thing they can do there is to download all the news and virus description togheter :)
So why is there a title that says "Hackers: BitDefender site exposes private data (yet again)", if there isn't any private data?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
