Once again, on Web-server in the domain nasa.gov (aerocenter.gsfc.nasa.gov) hacker, hiding under a pseudonym TinKode, was discovered classical vulnerability, SQL-injection [1] (probably bad prop is th
Once again, on Web-server in the domain nasa.gov (aerocenter.gsfc.nasa.gov) hacker, hiding under a pseudonym TinKode, was discovered classical vulnerability, SQL-injection [1] (probably bad prop is the case with web security in U.S. National Aeronautics and Space Administration). Screenshot of the vulnerable script, which leads the researcher:
That is, the classical SQL-injection at 5-m muscles. In addition, the most easy to compromise the database, because in a single http-request can obtain all the necessary data:
In these examples TinKode can see that in the database, including stored and PDN (astronauts or mere mortals?):
...
[3] user
[4] actualname
[5] firstname
[6] lastname
[7] username
[8] userpassword
...
[11] email
[12] phone
...
[25] cal_lastname
[26] cal_firstname
[27] cal_middlename
[28] cal_email
...
[34] country
...
[113] cal_login
[114] cal_passwd
...
Noticed administrators is not storing passwords in a plain-text, and in the format MD5 (though, somewhere in the process of IB works ...):
However, with the words TinKode, "... and they can be easily cracked." ;))
已有
