Security News > 2023 > June > MOVEit zero-day exploit used by data breach gangs: The how, the why, and what to do…
Last week, Progress Software Corporation, which sells software and services for user interface developement, devops, file management and more, alerted customers of its MOVEit Transfer product about a critical vulnerability dubbed CVE-2023-34362.
If the backend data is stored in a SQL database, the web server might convert that URL into a SQL command like the one shown below.
As the cartoon concludes in the last frame, you really need to sanitise your database inputs, meaning that you need to take great care not to allow the person submitting the search term to control how the search command gets interpreted by the backend servers involved.
The second is a "Comment command" that causes the rest of the line to be ignored, thus cunningly eating up the trailing %' characters generated by the server's command generator, which would otherwise have caused a syntax error and prevented the injected DROP TABLE command from working.
Webshells work because many web servers treat certain files as executable scripts used to generate the page to send back, rather than as the actual content to use in the reply.
If you're a SQL programmer, used parameterised queries, rather than generating query commands containing characters controlled by the person sending the request.
News URL
Related news
- ⚡ Weekly Recap: iOS Zero-Days, 4Chan Breach, NTLM Exploits, WhatsApp Spyware & More (source)
- ⚡ Weekly Recap: VPN Exploits, Oracle's Silent Breach, ClickFix Surge and More (source)
- Food giant WK Kellogg discloses data breach linked to Clop ransomware (source)
- PipeMagic Trojan Exploits Windows Zero-Day Vulnerability to Deploy Ransomware (source)
- CentreStack RCE exploited as zero-day to breach file sharing servers (source)
- The quiet data breach hiding in AI workflows (source)
- Hertz confirms customer info, drivers' licenses stolen in data breach (source)
- Hertz data breach: Customers in US, EU, UK, Australia and Canada affected (source)
- Landmark Admin data breach impact now reaches 1.6 million people (source)
- Entertainment services giant Legends International discloses data breach (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-06-02 | CVE-2023-34362 | SQL Injection vulnerability in Progress Moveit Cloud and Moveit Transfer In Progress MOVEit Transfer before 2021.0.6 (13.0.6), 2021.1.4 (13.1.4), 2022.0.4 (14.0.4), 2022.1.5 (14.1.5), and 2023.0.1 (15.0.1), a SQL injection vulnerability has been found in the MOVEit Transfer web application that could allow an unauthenticated attacker to gain access to MOVEit Transfer's database. | 9.8 |