Unu claims SQL injection flaws in sites operated by Symantec, New York Times

Dark Reading Staff, Dark Reading

February 20, 2009

2 Min Read

The Romanian hacker who penetrated the Websites of three security vendors last week is now claiming two new victims: Symantec and The New York Times.

The hacker, known only as "unu," posted a blog about an SQL injection vulnerability found on one of Symantec's Websites, the Document Download Center of the Norton Resource Center For Resellers. The flaw "permits access to their databases," unu says, although he did not say which databases or what data is contained in them.

Ironically, the flaw was found on a login page that promotes the Norton line of security products, unu observes.

In a response posted to unu's Website, Symantec concedes that the page is flawed by "inconsistent exception handling," but it rejects unu's assertion that the bug could lead to database access.

"Upon thorough investigation, we have determined that the blind SQL injection is, in fact, not effective," Symantec says. "The difference in response between valid and injected queries exists because of inconsistent exception handling routine for language options. Thanks again for notifying us of the issue. We will have the modified page up again soon with better exception handling."

In a separate blog, unu also claims to have discovered an SQL injection vulnerability in the Website of the International Herald Tribune, the global edition of The New York Times.

"I discovered an unsecured parameter, which allows access to the database," unu says. "Besides the wealth of information in the database, we also found an interesting table containing login details of 161 affiliates, editors, reporters, and other associates of the famed newspaper."

The International Herald Tribune says the vulnerability has been patched, but concedes that some login details were exposed.

Unu says he's targeting other newspapers' Websites for further research.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights