In what is shaping up to be a fine security trifecta (see yesterday’s post about an as-yet unpatched cross-site scripting vulnerability at CIA.gov), yesterday’s Daily WTF posting concerned a naked SQL Injection vulnerability on the Oklahoma Department of Corrections website. The vulnerability allowed anyone who cared to download lots of details from Oklahoma’s sex offender registry that shouldn’t have been accessible, including social security numbers (identity theft, anyone?), and also allowed access to other tables in the database, including information on corrections staff members. The page is now, mercifully, offline, though not before a commenter claimed that he was able to insert someone’s name into the database using a different SQL statement in the URL.
Little Bobby Tables at xkcd illustrates this type of vulnerability as well. Moral of the story: don’t trust user input!