[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [WEB SECURITY] CardSystems was a Web Application Hack

From: Argeniss <lists@xxxxxxxxxxxx>
Subject: Re: [WEB SECURITY] CardSystems was a Web Application Hack
Date: Tue, 18 Apr 2006 14:25:58 -0300

What I have heard (from a trusted source) is that a SQL Injection
vulnerability was exploited, the attacker created a Job in the database
server that pulled out new records every 4 (?) days. This is a very easy
attack since most database servers allow scheduling of actions as Jobs.
We have developed similar and new attacks that allows to steal complete
databases from Internet, I hope we will be presenting this at next Black
Hat :)


Cesar.

Jeremiah Grossman escribió:
> Most are already familiar with the infamous CardSystem incident where
> hackers stole 263,000 credit card numbers and exposed 40 million more.
> What remained a mystery is how exactly the hack occurred since what we
> knew was mostly scattered rumors and theories.
> 
> Bill Pennington pointed me to a new article in Information Security 
> magazine (April 2006) describing some new details.
> 
> Security Survivor All-Stars
> http://informationsecurity.techtarget.com/magLogin/1,291245,sid42_gci1175858,00.html
> 
> 
> *Unfortunately I've not be able to find an online version that doesn't
> require a subscription.
> 
> "In September 2004, hackers dropped a malicious script on the
> CardSystems application platform, injecting it via the Web application
> that customers use to access account information. The script, programmed
> to run every four days, extracted records, zipped them and exported them
> to an FTP site."
> 
> This reads to me like it was a web application hack, but its difficult
> to derive what class of attack. If I had to guess, it was probably was
> an OS Commanding issue in order to write executable code onto the
> file-system.
> 
> 
> 
> Regards,
> 
> Jeremiah-
> 
> 
> 
> 
> 
> ---------------------------------------------------------------------
> The Web Security Mailing List
> http://www.webappsec.org/lists/websecurity/
> 
> The Web Security Mailing List Archives
> http://www.webappsec.org/lists/websecurity/archive/
> 
> 
> 
> .
> 

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/

The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/

References:
- [WEB SECURITY] CardSystems was a Web Application Hack
  - From: Jeremiah Grossman

Prev by Date: [WEB SECURITY] CardSystems was a Web Application Hack
Next by Date: FW: [WEB SECURITY] CardSystems was a Web Application Hack
Previous by thread: [WEB SECURITY] CardSystems was a Web Application Hack
Next by thread: FW: [WEB SECURITY] CardSystems was a Web Application Hack
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site