CCAvenue.com is a Commerce Service Provider, authorized as a Master Merchant, by Indian financial institutions, to appoint Sub Merchants, to accept and validate Internet payments via Credit Card, and Net banking facilities from the end-customers in real-time. Its one of the leading payment gateway of South East Asia. Today, CCAvenue.com got hacked by a hacker with code name d3hydr8 by exploiting SQL injection vulnerability in the website. The database was identified as MSSQL. Storing passwords in plain text in the database was a bad strategy followed by CCAvenue.
Vishwas Patel, CEO of CCAvenue, replied on the incident calling it a mischievous slander against their name in an interview to Medianama. The hacker had disclosed the Apache version of the server of the site to be Apache/2.2.14 in his disclosure on seclist. Where as Patel adds that that server version was updated from 2.2.14 to 2.2.17 5 months back. A netcraft screen shot below indicates that the upgrade to Apache 2.2.17 for CCAvenue took place today:Source