go_sword Posted January 9, 2010 Report Share Posted January 9, 2010 A Romanian grey hat hacker has disclosed an SQL inject (SQLi) vulnerability on a website belonging to the United States Army, which leads to full database compromise. The website, called Army Housing OneStop, is used to provide information about military housing facilities to soldiers.The Army Housing OneStop (AHOS) is "the official Army website for soldiers who need information about Military Family Housing (MFH), Unaccompanied Personnel Housing (UPH) and/or Community (Off-Post) Housing. It includes both comprehensive and quick-reference information for Army installations worldwide."A self-confessed security enthusiast, who goes by the online handle of TinKode, documented a proof-of-concept attack against the onestop.army.mil on his personal blog. The published screenshots reveal that the Web server runs on Microsoft Windows 2003 with Service Pack 2 and the database engine used to power the ASP website is Microsoft SQL Server 2000.The AHOS website seems to have been developed by DynaTouch Corporation, a third-party government contractor that provides software and hardware solutions to create "self-service kiosk systems." The company's client portfolio includes a long list of local and federal government organizations.There are a number of 76 databases on the server, but TinKode focused his attention on the one called "AHOS." There are various tables in this database containing general website configuration information, but two in particular stand out as they are called "mgr_login" and "mgr_login_passwords."Upon investigating the latter, the hacker stumbled upon passwords stored in plain text, a major security oversight. Storing cryptographic hashes instead of the actual password strings has been a common practice in Web application programming for years now. Furthermore, if for convenience the hashes are generated with a weak algorithm, a technique known as "salting" can be employed to make them nearly impossible to crack.In a time when even the most amateur programmers follow such security practices, the fact that many business or government websites do not boggles one's mind. Additionally, the administrative account is called "Dynatouch" – who would have guessed that? – and its password is "AHOS" – yes, really.Note: Softpedia has contacted both Dynatouch and the Army.mil Webmasters about this vulnerability. Only the Army.mil Web Team responded and directed us to the U.S. Army Public Affairs Media Relations Division for questions. The website has since been taken offline.http://news.softpedia.com/news/Army-Website-Compromised-Through-SQL-Injection-131649.shtmlhttp://www.tinkode.baywords.com Quote Link to comment Share on other sites More sharing options...
Bebe1911 Posted January 9, 2010 Report Share Posted January 9, 2010 tot romanii...buna treaba baieti Quote Link to comment Share on other sites More sharing options...
Nytro Posted January 9, 2010 Report Share Posted January 9, 2010 (edited) Da, zeul de Tinkode, cel mai 1337 hacker roman. Plecati-va in fata lui.PS: Doar nu o sa imi dau singur warn PS2: Sa sti ca eu sunt si voi ramane fanul tau nr. 1. Am inceput sa plang cand am vazut ca e o stire despre tine si nu despre Nytro, dar cum esti cel mai 1337, am inteles Edited January 9, 2010 by Nytro Quote Link to comment Share on other sites More sharing options...
Guest Praetorian Posted January 9, 2010 Report Share Posted January 9, 2010 (edited) Da, zeul de Tinkode, cel mai 1337 hacker roman. Plecati-va in fata lui.Ce penal esti ma! Si vezi ca esti offtopic ADMINE! Edited January 9, 2010 by Praetorian Quote Link to comment Share on other sites More sharing options...
jiji Posted January 9, 2010 Report Share Posted January 9, 2010 sper sa nu atraga stolul de ciori asupra lui. F tare man. Quote Link to comment Share on other sites More sharing options...
Krisler12 Posted January 9, 2010 Report Share Posted January 9, 2010 Din cate am vazut eu TinKode, daca nu ma insel, este membru si aici pe rst, cum de nu are probleme cu autoritatile ptr. treaba asta ? Ma gandesc ca ar putea sa ii ceara ip-ul atat celor care au forumurile pe care umbla el dar chiar mai ales celor care ii gazduiesc blogul, nu ? Nu s-a riscat prea mult facand asta ? Ma gandesc ca orucat te-ai proteja cu proxy-uir cu tor si asa mai departe, ip-ul tau poate fi luat si din alta parte , in acest caz chiar de la cei care ii gazduiesc blogul. Eu nu am nimic cu el si nici cu nimeni altcineva, nu ma intelegeti gresit, dar sunt doar curios cum de nu sar americanii sa faca ceva ca mie mi se par "sensibili" (cazul cu ala care a spart NASA) la chestii de astea ? Multumesc ! btw, oare ce metoda de anonimitate a folosit ? voi cum v-ati proteja daca ati face o treaba ca asta (care e totusi importanta ca nu spargi site-ul unui golan oarecare de cartier) ? Quote Link to comment Share on other sites More sharing options...
prodil89 Posted January 9, 2010 Report Share Posted January 9, 2010 Da nu prea sunt autoritatiile din Romania interesate de asa ceva......asta daca nu se baga americanii Quote Link to comment Share on other sites More sharing options...
begood Posted January 9, 2010 Report Share Posted January 9, 2010 ))))))))))))))))))))))))))))))))))e in crestere egoul lui lui Tin, comment dupa comment Quote Link to comment Share on other sites More sharing options...
Church Posted January 9, 2010 Report Share Posted January 9, 2010 Uh Uh Uh, SirKode Altu care o sa primeasca "50+ ani de inchisoare"oricum ... eu tot fan Nytro raman .. Quote Link to comment Share on other sites More sharing options...
daatdraqq Posted January 9, 2010 Report Share Posted January 9, 2010 Pe Haisam am vazut ca-l aduc inapoi ,ce parere-ti faci daca o zice Obama "vi-l dam si pe Munaf la schimb cu Tin " LE: neeee, nu te da Base ca esti valoros ! Quote Link to comment Share on other sites More sharing options...
