fringe: Hackers: BitDefender site exposes private data (yet again)

[security curmudgeon <jericho () attrition org>]

---------- Forwarded message ----------
From: InfoSec News <alerts () infosecnews org>

http://www.theregister.co.uk/2009/02/16/bitdefender_website_breach/

By Dan Goodin in San Francisco
The Register
16th February 2009

Updated - Romanian hackers have discovered a security flaw in the website 
of anti-virus provider BitDefender. They said it was the second time in a 
week the company has inadvertently exposed a database that is supposed to 
remain private.

According to an item posted to HackersBlog, BitDefender's main website can 
be tricked into disclosing database contents by embedding commands into 
the BitDefender.com URL.

"This parameter gives access to the DB," a hacker by the name of Unu 
reported. "I will not publish too much now as I am waiting for the problem 
to be solved."

Unu went on to say he had reported the vulnerability to the site's 
webmaster but had received no reply. "Therefore, knowing they read our 
articles, I will let them know here that they have a vulnerable 
parameter," he wrote.

[...]

A BitDefender spokesman confirmed the site had an unchecked parameter that 
was fixed on Saturday. But he denied the flaw exposed any private 
information or resulted in an SQL injection.

[...]
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)

CREDANT Technologies, a leader in data security, offers advanced data encryption solutions.
Protect sensitive data on desktops, laptops, smartphones and USB sticks transparently 
across your enterprise to ensure regulatory compliance.
http://www.credant.com/stopdataloss