Security News > 2023 > June > MOVEit zero-day exploit used by data breach gangs: The how, the why, and what to do…
Last week, Progress Software Corporation, which sells software and services for user interface developement, devops, file management and more, alerted customers of its MOVEit Transfer product about a critical vulnerability dubbed CVE-2023-34362.
If the backend data is stored in a SQL database, the web server might convert that URL into a SQL command like the one shown below.
As the cartoon concludes in the last frame, you really need to sanitise your database inputs, meaning that you need to take great care not to allow the person submitting the search term to control how the search command gets interpreted by the backend servers involved.
The second is a "Comment command" that causes the rest of the line to be ignored, thus cunningly eating up the trailing %' characters generated by the server's command generator, which would otherwise have caused a syntax error and prevented the injected DROP TABLE command from working.
Webshells work because many web servers treat certain files as executable scripts used to generate the page to send back, rather than as the actual content to use in the reply.
If you're a SQL programmer, used parameterised queries, rather than generating query commands containing characters controlled by the person sending the request.
News URL
Related news
- Hackers exploit Cityworks RCE bug to breach Microsoft IIS servers (source)
- HPE notifies employees of data breach after Russian Office 365 hack (source)
- XE Hacker Group Exploits VeraCore Zero-Day to Deploy Persistent Web Shells (source)
- PostgreSQL flaw exploited as zero-day in BeyondTrust breach (source)
- Fintech giant Finastra notifies victims of October data breach (source)
- US drug testing firm says data breach impacted 3.3 million people (source)
- US drug testing firm DISA says data breach impacts 3.3 million people (source)
- Background check, drug testing provider DISA suffers data breach (source)
- ⚡ THN Weekly Recap: Alerts on Zero-Day Exploits, AI Breaches, and Crypto Heists (source)
- Data breach at Japanese telecom giant NTT hits 18,000 companies (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-06-02 | CVE-2023-34362 | SQL Injection vulnerability in Progress Moveit Cloud and Moveit Transfer In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. | 9.8 |