Symantec Exposed Passwords, Serials – SQL Injection, Full Database Access
A self-proclaimed grey-hat hacker has located a critical SQL injection vulnerability in a website belonging to security giant Symantec. The flaw can be leveraged to extract a wealth of information from the database including customer and admin login credentials, product serial numbers, and possibly credit card information.
The flaw was found by a Romanian hacker going by the online handle of Unu, according to whom an insecure parameter of a script from the pcd.symantec.com website, allows for a Blind SQL Injection (SQLi) attack to be performed. In such an attack, the hacker obtains read and/or write permission to the underlying database of the vulnerable website.
The content of the pcd.symantec.com website is written in Japanese, but from what we could determine, it serves a product called Norton PC Doctor. The Web server appears to be running Windows Server 2000 as operating system, Microsoft IIS 6.0 with ASP support and Microsoft SQL Server 2000 as database back-end.
From the screen shots released by Unu there are many potentially interesting databases, but the one he chose to look at is called “symantecstore.” One of the tables in this database is named “PaymentInformationInfo” and contains columns such as BillingAddress, CardExpirationMonth, CardExpirationYear, CardNumber, CardType, CcIssueCode, CustomerEmail, CustomerFirstName, CustomerLastName or SecurityIndicator.
Source: Unu’s Blog