Wubi Posted July 11, 2012 Report Posted July 11, 2012 4XP Critical SQL Injection Vulnerability ExposedzSecure team has recently discovered a critical SQL Injection Vulnerability in the web portal of 4XP, a leading online forex broker having more than 1 lakh customer base. Financial transactions are carried on the broker's paltform on daily basis including but not limited to Credit Card Transactions. The critical vulnerability allows to get complete access to brokers database which can be misused to access their customers confidential information including their login id's, passwords, home address, email-id's, mobile no's, credit card details etc. This critical vulnerbility could prove devastating to the company if they doesn't fix it asap. Below are the details about the company & discovered vulnerability. About the Company4XP is an online forex broker that specializes in providing an all-inclusive trading package backed by a caring and devoted support team. 4XP was founded by a group of retail-ended entrepreneurs and capital market dealers sharing a vision for creating a customer-oriented brokerage service that would provide a compelling trading solution. 4XP strives toward creating the most professional and transparent trading environment possible.Vulnerability detailsWebsite: www.4xp.comVulnerability Type: Hidden SQL Injection VulnerabilityDatabase Type: MySqlAlert Level: CriticalThreats: Complete Database Access, Database Dump, Shell UploadingWorst case scenariosAny malicious smart black hats can create much more devastating attacks using this critical flaw such as:Uninterrupted access to the databaseDatabase Dump;Possibility of shell uploading which may result in defacement of website; andMuch more . . .Proof of vulnerabilityhttp://www.zsecure.net/blog/vulnerabilities/4xp-sql-injection-vulnerability.htmlhttp://thehackernews.com/2012/07/4xp-critical-sql-injection.html Quote
