Oklahoma sets up a <sex offender violent offender site>. Right off the bat you can see the site is still managed by numskulls. On their front page 'Notice to public:' has a broken non-breaking-space HTML tag hanging out.
Apparently until several people stressed the problem and severity, the site sent and accepted SQL queries with no sanitation through web requests. This allowed anyone with minimal SQL knowledge to retrieve social security numbers and other personal information of tens of thousands of people on this registry.
<The Daily WTF>
(contains some examples as well as details)
Find sites with similarly poor design with a crafted Google search:
<Google Search Example>
Tuesday, April 15, 2008
SQL Exploit by Recent Example
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment