Security News > 2023 > June > MOVEit zero-day exploit used by data breach gangs: The how, the why, and what to do…
Last week, Progress Software Corporation, which sells software and services for user interface developement, devops, file management and more, alerted customers of its MOVEit Transfer product about a critical vulnerability dubbed CVE-2023-34362.
If the backend data is stored in a SQL database, the web server might convert that URL into a SQL command like the one shown below.
As the cartoon concludes in the last frame, you really need to sanitise your database inputs, meaning that you need to take great care not to allow the person submitting the search term to control how the search command gets interpreted by the backend servers involved.
The second is a "Comment command" that causes the rest of the line to be ignored, thus cunningly eating up the trailing %' characters generated by the server's command generator, which would otherwise have caused a syntax error and prevented the injected DROP TABLE command from working.
Webshells work because many web servers treat certain files as executable scripts used to generate the page to send back, rather than as the actual content to use in the reply.
If you're a SQL programmer, used parameterised queries, rather than generating query commands containing characters controlled by the person sending the request.
News URL
Related news
- Dutch Police: ‘State actor’ likely behind recent data breach (source)
- Comcast and Truist Bank customers caught up in FBCS data breach (source)
- Internet Archive hacked, data breach impacts 31 million users (source)
- Internet Archive data breach, defacement, and DDoS: Users’ data compromised (source)
- Fidelity Investments says data breach affects over 77,000 people (source)
- Fidelity Data Breach Exposes Data of Over 77,000 Customers (source)
- North Korean ScarCruft Exploits Windows Zero-Day to Spread RokRAT Malware (source)
- USDoD hacker behind National Public Data breach arrested in Brazil (source)
- Tech giant Nidec confirms data breach following ransomware attack (source)
- Hackers exploit 52 zero-days on the first day of Pwn2Own Ireland (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-06-02 | CVE-2023-34362 | SQL Injection vulnerability in Progress Moveit Cloud and Moveit Transfer In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. | 9.8 |