Web Development

UN Web site is defaced via SQL Injection


This morning the United Nations Web site was defaced by three hackers calling themselves kerem125, M0sted, and Gsy. The group exploited a typical SQL Injection vulnerability found in the United Nations ASP / ADODB Web servers.

Instead of transcripts of the Secretary-General Ban Ki-Moon’s speeches viewers were greeted with the message:

Hacked By kerem125 M0sted and Gsy

That is CyberProtest Hey Ýsrail and Usa

dont kill children and other people

Peace for ever

No war

A post over at hackademix.net notes the importance of the missing apostrophe. This is a clue to the technique used by these attackers to deface the Web site. What’s surprising is that this type of attack can be quite easily avoided by making proper use of prepared statements. One would expect a high profile organisation such as the UN to be more thorough in protecting themselves from this kind of embarrassment.

Even more surprising is that fact that despite having corrected the text in question, the Web site still looks to be vulnerable to the same type of attack. I wonder how long until it’s patched?

10 comments
corporate
corporate

i wish i could employ them under my payroll

thisisfutile
thisisfutile

I followed the link posted here...hackademix.net, and clicked the links they supplied for the article. During the 5 minutes that I was there my AV detected a downloader in my browser cache... The only pages I had open were the hackademix.net site and one of the links to the UN page (that was down). Just FYI...

BALTHOR
BALTHOR

Somebody has changed places in their brain with the U.N.These two guys actually think that they are the U.N.The message is to themselves!The U.N. is being blamed for this ruthless terrorist attack.

Neon Samurai
Neon Samurai

There are three kinds of mathematitions; those who can count, and those who can't. hehe.. that line made me giggle; I had to leave a quick post. I'm probably reading the original line from the article wrong but "two hackers" and three names gave me a smile.

Justin Fielding
Justin Fielding

My AV didn't pick anything up. Which one are you using?

Justin Fielding
Justin Fielding

Thanks for pointing that out! I went over and edited the article as I had originally thought the names were 'kerem125' and 'M0sted Gsy'. Totally overlooked the fact that I'd actually said two. Doh!

DanLM
DanLM

lol, no lie. But, alas. Drug tests and all. Even if he shared, I couldn't partake. Dan

Neon Samurai
Neon Samurai

as I mentioned, it gave me a giggle. It was to share amusement rather than harp on anyone's writting. (I'm the last person who should be pointing out gramatic errors)

Justin Fielding
Justin Fielding

That English isn't his native language; if I'm wrong then those are some serious jelly beans he's eating!!!

Editor's Picks