Hacker Discovers SQL-injection Flaw in Intel Website

An active hacker "Unu" reports that he has found SQL-injection vulnerability in an Intel website. An 'SQL injection' attack involves malware injection in data strings which is transmitted to an SQL server for execution and parsing.

Unu states - the vulnerability exists in the website of Intel Channel Webinars. This website belongs to the Channel Partner Program of the Company. A MySQL database server is used and Unu observes that a certain user of MySQL enjoys it if fully within its host area. The implication is that on cracking the password, a hacker can gain access to the server via an IP address.

However, the breach becomes worse when the flaw is exploited for compromising sensitive information such as passport numbers, credit card particulars and birth dates of individuals who are officially associated with any event.

Unu provides a proof-of-concept by extracting portions of the website, exhibiting the information and posting screenshots of the same. Furthermore, the hacker admits that he is not just displaying the payment card numbers, CID/CW codes, and expiration dates, but they are inside the table.

Furthermore, he published a blog in which he remarked that Intel Corporation was the biggest semiconductor chips manufacturer globally in terms of revenue earning. However, its tackling of security was as poor as that of the remaining big companies, as reported by Baywords on December 22, 2009.

Unu also wrote that in addition to the SQL-injection flaw, the website also permitted the execution of load_file that made it extremely dangerous. It could be possible to find a directory wherein data could be written. Besides, by injecting malware, an access to command line could be acquired. Consequently, anything could be done on the website like uploading redirects or php shells, installing Trojan droppers on its pages, or adding or changing content on it.

In the meantime, the website reportedly is disconnected from the Net.

Unu's target on Intel for research is not new. During February 2009, he revealed another flaw of a similar kind on the website of Intel Security Center.

Related article: Hacker & Virus in MySpace

» SPAMfighter News - 1/1/2010