Security News > 2023 > June > MOVEit zero-day exploit used by data breach gangs: The how, the why, and what to do…
Last week, Progress Software Corporation, which sells software and services for user interface developement, devops, file management and more, alerted customers of its MOVEit Transfer product about a critical vulnerability dubbed CVE-2023-34362.
If the backend data is stored in a SQL database, the web server might convert that URL into a SQL command like the one shown below.
As the cartoon concludes in the last frame, you really need to sanitise your database inputs, meaning that you need to take great care not to allow the person submitting the search term to control how the search command gets interpreted by the backend servers involved.
The second is a "Comment command" that causes the rest of the line to be ignored, thus cunningly eating up the trailing %' characters generated by the server's command generator, which would otherwise have caused a syntax error and prevented the injected DROP TABLE command from working.
Webshells work because many web servers treat certain files as executable scripts used to generate the page to send back, rather than as the actual content to use in the reply.
If you're a SQL programmer, used parameterised queries, rather than generating query commands containing characters controlled by the person sending the request.
News URL
Related news
- UN aviation agency investigating possible data breach (source)
- Washington state sues T-Mobile over 2021 data breach security failures (source)
- New Mirai botnet targets industrial routers with zero-day exploits (source)
- Zero-day exploits plague Ivanti Connect Secure appliances for second year running (source)
- Largest US addiction treatment provider notifies patients of data breach (source)
- STIIIZY data breach exposes cannabis buyers’ IDs and purchases (source)
- Nominet probes network intrusion linked to Ivanti zero-day exploit (source)
- EU law enforcement training agency data breach: Data of 97,000 individuals compromised (source)
- UK domain registry Nominet confirms breach via Ivanti zero-day (source)
- Wolf Haldenstein law firm says 3.5 million impacted by data breach (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-06-02 | CVE-2023-34362 | SQL Injection vulnerability in Progress Moveit Cloud and Moveit Transfer In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. | 9.8 |