Reporting SQL Vulnerability [migrated]
Posted
by
Ciaran87Bel
on Server Fault
See other posts from Server Fault
or by Ciaran87Bel
Published on 2014-08-23T13:49:32Z
Indexed on
2014/08/23
16:24 UTC
Read the original article
Hit count: 117
My first post here so i'll hopefully keep it simple.
I have just finished building a CMS targeted at a certain industry and built a test site to see how everything works.
Anyway I wrote a program to check for sql injection vulnerabilities and the program followed a blog link to an external website.
The program discovered that the external site had a massive vulnerability that left it open to practically anyone who could then access every bit of data on their MYSQL Server and run queries etc. The thing is this external site is the brand leader in their industry and do millions upon millions of sales per annum. I have tried contacting them to let them know and even went as far as contacting the company that built their platform but I was pretty much brushed off and haven't heard back from them. Their database would contain the details of hundreds of thousands of customers and all their data. I could easily make myself site admin etc in a few seconds but they won't listen to me even though I have offered to share the vulnerability with them and help in anyway I can.
Is there anything else I can do because it is one of the biggest security risks I have ever personally come across. Is there any other steps I should take to report this?
Thanks
© Server Fault or respective owner