HI All, *A hacker claims to have gained full access to the website of the British Royal Navy and the underlying database through an SQL injection attack.*
The public disclosure was made by a Romanian self-confessed security enthusiast who uses the online handle of "TinKode." The grey hat hacker specializes in finding Web vulnerabilities like SQL injection and cross-site scripting.Back in July he disclosed a high-risk weakness in YouTube, which was subsequently misused to poison video comments. In a new post on his blog, TinKode claims that the compromise of www.royalnavy.mod.uk happened on November 5 at 22:55. Time zone is not specified, but Romania is in UTC +02:00.The hacker mentions that the attack vector was SQL injection, but fortunately, he doesn't publicly disclose the vulnerable URL.He does, however, link to a file hosted on pastebin.com, which contains sensitive information gathered from the Royal Navy Web server and database. This includes a copy of the /etc/passwd file, a listing of MySQL databases, as well as the tables for some of them. For the "globalops" database, which we assume corresponds to the "Global Operations" section of the website, TinKode lists the contents of the "admin_users" table. This includes the administrative accounts and their corresponding passwords hashes. The hacker even decrypted the hashed password for the user called "admin," posted it in plain text. Suffice to say that it's ridiculously simple and in no way appropriate for a military website. Furthermore, he also posted usernames and hashed passwords for the site's "Jack Speak" blogs section, which appears to be running WordPress. We have alerted the Royal Navy Web team, but have yet to receive a reply. Meanwhile, the website remains online. FYI: http://tinkode27.baywords.com/minister-of-defence-united-kingdom-www-mod-uk-hacked/ -- You received this message because you are subscribed to the Google Groups "nforceit" group. To post to this group, send an email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/nforceit?hl=en-GB.
