Choicepoint... there is still some work to do... |
|||||||||||
|
Good that Choicepoint had done a security audit. That is what the press relations guy told Wired after our first paper. Without that security audit, one wonders what their network would have been... We had already forgotten this story, but one Kitetoa's reader sent us a nice URL. On another Choicepoint's Web site, you could see the asp code (asp pages are dynamic pages which the server creates at the same time you'r navigating). So, it was easy to ask (through a stupid web browser) for the page in which the IIS Web server keeps the path of the database (used to create these dynamic pages)... The login and the password of the database were displayed... Considering this is a real old vulnerability, this is quite stupid. The good news is that the specialists at Choicepoint had put their database on a machine with an internal IP address. What else? On the site we had already written about, some parts of the server seem to be vulnerable to a real old bug (published by lOpht. So yes, it's very old...). One could modify stuff on the server using a browser. Looks like this vulnerability didn't appear either while they did that security audit... Oh well... |
Naviguer, lire.... Le Sommaire |
Communiquer... |
Les rubriques! |
Les rubriques! |
Les dossiers |
Malade mental... Qui est Jean-Paul Ney, Le texte de la condamnation |
Malade mental, bis repetita Jean-Paul Ney condamné Condamnation de Jean-Paul Ney |
D'autres choses... |
Rechercher... et sur le Net... |