You are viewing a read-only archive of the Blogs.Harvard network. Learn more.
Skip to content

RIAA webserver compromised

The following url was found on a popular aggregation site

http://riaa.com/news_room.php?resultpage=9&news_year_filter=2007%20UNION%20ALL%20SELECT%20BENCHMARK(100000000,MD5('asdf')),NULL,NULL,NULL,NULL%20--

broken down into component pieces the actual sql commands are easier to read:
UNION ALL SELECT
BENCHMARK(100000000,MD5(‘asdf’))

,NULL,NULL,NULL,NULL —

We can see that the url parameters contain a mysql command to benchmark 10M md5 operations on the string ‘asdf’. The very clear and simple vector allowed some others to achieve content insertion and even possibly deletion. What is worse is that a malicious person could have easily planted an iframe in the content to infect every visitor of the RIAA website. They are clearly not conducting code reviews on the RIAA website since this type of SQL injection attack would be noticed by even the most novice of auditors. The Content Management System (CMS) used was known to be vulnerable so there were likely patches available.

This was written by zeroday. Posted on Monday, January 21, 2008, at 1:41 am. Filed under Digital Warfare. Bookmark the permalink. Follow comments here with the RSS feed. Post a comment or leave a trackback.

Post a Comment

You must be logged in to post a comment.
Proudly powered by WordPress. Hosted by Pressable.