Infi-Zeal's Blog

Security researchers from SektionEins have discovered a critical SQL Injection vulnerability in Drupal CMS that leaves a large number of websites that uses Drupal at risk. Drupal introduced a database abstraction API in version 7.  The purpose of this API is to prevent SQL Injection attacks by sanitizing SQL Queries. But, this API itself introduced a new and critical SQL Injection vulnerability.   The vulnerability enables attackers to run malicious SQL queries, PHP code on vulnerable websites.  A successful exploitation allows hackers to take complete control of the site. This vulnerability can be exploited by a non-authenticated user and has been classified as "Highly Critical" one. SektionEins didn't release the POC but released an advisory with technical details.  The vulnerability exists in the expandArguments function which is used for expanding arrays to handle SQL queries with "IN" Operator.  The vulnerability affects Drupal core 7.x versions...

Google has launched a new effort to warn its users that they could be the victims of cyberattacks from hostile governments. Account-holders working in international relations, development and other sensitive areas have received messages from the search giant informing them of recent efforts to spy on their online history. The move comes after the company started detecting 'tens of thousands' of new hacking attacks originating in the Middle East. Warning: Google has sent this message to a number of at-risk users Google is a tempting target for hackers, as it is not focussed solely on search but also offers its users services such as email, mapping and Chrome, one of the most popular web browsers. This week, according to the  New York Times , users thought to have been targeted saw a message attached to their accounts saying, 'Warning: We believe state-sponsored attackers may be attempting to compromise your account or computer.' This is not the first t...

  In what was billed as "Monday Mail Mayhem," the hacktivist group Anonymous released a 1.7-GB archive that it's characterizing as "data that used to belong to the United States Bureau of Justice, until now." "Within the booty you may find lots of shiny things such as internal emails, and the entire database dump," according to a statement released by the group. "We Lulzed as they took the website down after being owned, clearly showing they were scared of what inevitably happened." That statement was included with a BitTorrent file (named 1.7GB_leaked_from_the_Bureau_of_Justice) uploaded Monday to the Pirate Bay by "AnonymousLeaks," although multiple downloaders Tuesday complained that the Torrent download was stuck at the 94%-completion point. Why "dox"--release purloined data from--the  Bureau of Justice Statistics ? "We are releasing data to spread information, to allow the people to be heard, and to know t...

Apple’s iCloud Under Attack By Hackers Some iCloud registrants are beginning to notice spam email in their Sent folders, despite having nothing to do with the unsolicited messages ending up in their friends’ inboxes. They believe they’ve been hacked, and they have taken to Apple Support Communities to seek answers. AppleInsider points out to a  couple of small threads on Apple’s forums where several iCloud subscribers are signaling a potential attack on the company’s servers. "I never use my @me email for anything, and I guarantee someone didn't break into the account by guessing my password (or brute force methods) — it's a pseudoly randomly generated string of 15 numbers, letters (upper and lower case) and symbols (I worked in IT for many years and am perhaps overly zealous about password security, which makes memorization a real pain)," one person wrote. “I’m worried that Apple's iCloud servers themselves got hacked, as I see there are a few o...

DOS Attack via Google Panos Ipeirotis, a computer scientists working at New York University, learned the hard way that Google can be used to launch successful denial-of-service (DOS) attacks against sites with minimal effort. On his  personal blog  Ipeirotis explained that it all started when he saw that Amazon Web Services was charging him with ten times the usual amount because of large amounts of outgoing traffic. “Initially I was afraid that a script that I setup to backup my photos from my local network to S3 caused that bandwidth. But then I realized that I am running this backup-to-S3 script for a few months now, and in any case all the traffic that is incoming to S3 is free. This is a matter of outgoing traffic,” he explained. After analyzing traffic logs he was able to determine that every hour a total of 250 gigabytes of traffic was sent out because of Google’s  Feedfetcher , the mechanism that allows the search engine to grab RSS or Atom feeds when use...