Security News > 2023 > June > MOVEit zero-day exploit used by data breach gangs: The how, the why, and what to do…
Last week, Progress Software Corporation, which sells software and services for user interface developement, devops, file management and more, alerted customers of its MOVEit Transfer product about a critical vulnerability dubbed CVE-2023-34362.
If the backend data is stored in a SQL database, the web server might convert that URL into a SQL command like the one shown below.
As the cartoon concludes in the last frame, you really need to sanitise your database inputs, meaning that you need to take great care not to allow the person submitting the search term to control how the search command gets interpreted by the backend servers involved.
The second is a "Comment command" that causes the rest of the line to be ignored, thus cunningly eating up the trailing %' characters generated by the server's command generator, which would otherwise have caused a syntax error and prevented the injected DROP TABLE command from working.
Webshells work because many web servers treat certain files as executable scripts used to generate the page to send back, rather than as the actual content to use in the reply.
If you're a SQL programmer, used parameterised queries, rather than generating query commands containing characters controlled by the person sending the request.
News URL
Related news
- Free, France’s second largest ISP, confirms data breach after leak (source)
- Interbank confirms data breach following failed extortion, data leak (source)
- How to Effectively Manage a Data Breach (source)
- Amazon confirms employee data breach after vendor hack (source)
- HIBP notifies 57 million people of Hot Topic data breach (source)
- Botnet exploits GeoVision zero-day to install Mirai malware (source)
- Mystery Palo Alto Networks hijack-my-firewall zero-day now officially under exploit (source)
- US space tech giant Maxar discloses employee data breach (source)
- Chinese hackers exploit Fortinet VPN zero-day to steal credentials (source)
- Helldown ransomware exploits Zyxel VPN flaw to breach networks (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-06-02 | CVE-2023-34362 | SQL Injection vulnerability in Progress Moveit Cloud and Moveit Transfer In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. | 9.8 |