A critical security loophole was found on the website of the Registry of Public Websites and Applications which belongs to the Ministry of Digital Government and has 585 registered websites and 36 registered applications.
Two Greek researchers, Dimitris Hatzidimitris and Anastasis Vassiliadis, managed to identify a security loophole on the website of the Ministry of Digital Government, and more specifically in the Register of Public Websites and Applications which allowed them to perform the SQL injection technique and gain access to part of the organization's database.
According to the Greek investigators, the organization was notified in time for the security gap, but to date, it has not made any repairs.
The vulnerability is SQL injection type and the specific weakness:
- Parameter: orgID (GET)
- Type: time-based blind
- Title: MySQL> = 5.0.12 AND time-based blind (query SLEEP)
"This vulnerability has given us access to the database of the register of public websites and applications. "After that, we did not proceed below with a possible access to the server beyond the base, since we had already confirmed the weakness in the security of the website", the researchers typically state.
Here is a screenshot from the database.
We notice that the tables contain sensitive user data such as names and passwords.
with contents such as:
The exact information and the weakness used by the researchers remain at the disposal of those directly interested, by the researchers themselves but also by SecNews. We do not disclose the exact extent of the failure so that it is not exploited by malicious users or attacking hackers from third countries.
Information about vulnerabilities discovered in organizations is considered extremely necessary (especially when they are on high-traffic websites and contain sensitive user data), and for us at SecNews they are an immediate priority.
We hope that in this way, that is, the immediate exposure of any vulnerability, and not its 'hood,' we are contributing to a safer Internet.
Register of Public Websites & Applications
The Register of Public Websites and Applications belongs to the Ministry of Digital Government, has 585 registered websites and 36 registered applications.
According to a relevant law, the maintenance of the "Register of Public Websites and Applications" (ΜΗ.Δ.ΙΣ.ΕΦ.), which includes all websites and applications for mobile devices of public bodies that comply with the statutory requirements accessibility. (ΜΗ.Δ.ΙΣ.ΕΦ.) is kept in the Department of Accessibility and Social Affairs, of the Directorate of Digital Strategy, of the General Directorate of Digital Governance, of the Ministry of Digital Governance
The ΜΗ.Δ.ΙΣ.ΕΦ. plays an important role in complying with EU and national law. It also contributes to the fulfillment of the obligation to consolidate the mechanism that will facilitate the communication of citizens with public sector bodies regarding issues of accessibility of websites and applications for mobile devices and the undertaking of appropriate actions by public sector bodies within specific deadline.
SQL injection attack
SQL injection is a code injection technique that allows an attacker to "run" SQL statements against a target server. A successful SQL injection attack allows the execution of any query on the target database, which means the ability to collect important information, such as passwords, usernames, emails, credit card numbers, etc.
These attacks take advantage of vulnerabilities in web applications that communicate with backend servers, where databases are stored. The abbreviation SQL comes from the words Structured Query Language (Structured Query Language). It is a programming language used to add, manipulate and retrieve data in a SQL database. Attackers can easily find out, with a few simple commands, if a page is vulnerable to SQL injection vulnerability. If they are, then they will be able to steal data, destroy it, and even become database server administrators.
- The most important precaution, perhaps, is proper design, good construction and constant monitoring of the database, so that it is not vulnerable to this attack.
- Restricting server configuration data: Restricting access to the wrong parameters can reduce the likelihood of an attack on the target server. Although it does not offer 100% security, it is a first step security around databases.
- Good knowledge of all SQL Servers on the network by administrators: First, administrators need to know how many SQL servers are on the network. This process may not be as simple as it seems, as most servers run on dynamic TCP ports and usually these servers only work when the user "needs" them. Therefore, some servers may not be active. SQL Ping, SQL scan and more specialized software could be used to find all SQL Servers.
- Continuous updates. Software companies often release updates to fix potential vulnerabilities. Therefore, organizations must take care to update the applications, software and generally the systems they use, in order to stay safe.
- Enable and configure Web application firewall.
- Blocking access to specific server ports by unknown users: It does not offer absolute security, especially in SQL injection attacks, but it is an important security measure for the entire network of a company or organization. For example, closing UDP Port 1434 [this port is used to map Microsoft SQL databases] and all the TCP ports that SQL Server "listens to" can enhance security.
- Adoption of strong admin-passwords. Using a strong password can prevent brute force, SQL injection and many other attacks. It is also suggested to change them frequently.