ironcove.net

August 2007 the UN.org website was hacked by activists. It turns out that after 2 years the website is still vulnerable. This is unfortunate, as far as we know the only damage in the previous hack was a defacement. The page was changed and a message was placed on the site by the hackers.

The fact the UN.org has not deemed it important enough to fix, shows little understanding of the need for good security. This is not an elite hack, the vulnerability is a simple SQL Injection that could lead to more than a defacement.

Attackers could potentially use this to take control over the server, and then capture logins. As often is the case logins are reused so the potential is there for capturing login information to more important systems within the UN system.

The page could be defaced with injected malware. This would put thousands of visitors to the un.org at risk of there own systems being compromised. The database that houses the website may contain other databases containing logins, or personal details and other sensitive information.

Dear UN.org,

Please fix your web site, it would not cost much – and then have your security reviewed for further problems. Our partner site HackerTarget.com would be willing to do a full assessment for free.

Regards,

Peter
IronCove.net

Update I have just tested the simple injection test putting a extra quote at the end of the url mentioned in the linked article and the problem appears to have been fixed. Lets hope they go to the trouble for a full security review.

UN.org still vulnerable