“BT is one of the world’s leading providers of communications solutions and services operating in 170 countries. Its principal activities include networked IT services, local, national and international telecommunications services, and higher-value broadband and internet products and services. BT consists principally of four lines of business: BT Global Services, Openreach, BT Retail and BT Wholesale.”

“The most complete UK broadband, phone lines and mobile products, digital TV, web hosting, online security and networked IT services for home”

The description says it all. One of the giants in IT, mobile, TV and internet services. A Giant Company with a huge database. You don’t need to be an internet whiz, not even a computer literate to understand the tremendous implications that result from such a database beeing vulnerable.

A faulty parameter, improperly sanitized opens the vault to the pretious databases. One can gain access to such ordinary things as personal data, login data, and the like. In the first syntax I concatenated the table names as well as the version and the user of the database.

Lets see some of the user login data for different data bases (among which, of course, the admins of the respective sections).

As well as the login data and personal data (email, active, lastloggedin, firstname, surname, address, town, postcode, level, randomkey, password) for some of the registered users.

To be continued… but first we need to see reported vulns patched. We don’t want to put BT clients in danger by providing sensitive informations and hints to a potential attacker.

————-

RO version:

O firma mare, cu o baza de date imensa. Alta firma din domeniul IT si comunicatii care nu-si poate securiza propria baza de date. Un parametru prost sanitizat permite acces la date personale, de logare, etc.

In prima sintaxa am concatanat denumirile schemelor, cat si versiunea, userul bazei de date.

Sa vedem o parte din datele de logare a userilor pentru diferite baze de date (printre care desigur si adminii respectivelor sectiuni)

Cat si datele de logare, personale (email, active, lastloggedin, firstname, surname, address, town, postcode, level, randomkey, password) pentru o parte din userii inregistrati.

Va urma…

Related Posts

• March 10, 2009 -- Sql Injection in BT.com – episode 2
• December 24, 2009 -- Forumul Andreei Balan spart
• December 22, 2009 -- Fun cu NemoExpres.ro
• December 11, 2009 -- Kaspersky Thailand hacked by TinKode
• December 11, 2009 -- Deface pe site-ul fundatiei Dan Voiculescu pentru Dezvoltarea Romaniei (fudv.ro)