Again a critical SQL Injection Vulnerability has been discovered by zSecure Team in a high profile web portal. This time it's Ideacellular web portal which compromises the entire site database. Any malicious smart black hats can create much more devastating attacks using this critical flaw such as: complete access to various database's as shown in screen-shots under proof of vulnerability which can later be misused to access various confidential information; complete database dump; possibility of uploading shell (not fully certain) and much more.
Target Website: https://www.ideacellular.com
Target Website: https://www.ideacellular.com
Attack Type: Hidden SQL Injection Vulnerability
Database Type: MySql 5.0.27
Alert Level: Critical
Alert Level: Critical
Threats: Database Access, Database Dump
Credit: zSecure Team
Previous Vulnerability Discolsures: Dukascopy, Sify, TimesofMoney, Sharekhan
Credit: zSecure Team
Previous Vulnerability Discolsures: Dukascopy, Sify, TimesofMoney, Sharekhan
Proof of Vulnerability:
About the Company
Idea is the 3rd largest mobile services operator in India. Idea's strong growth in the Indian telephony market comes from its deep penetration in the non-urban and rural markets. IDEA Cellular is an Aditya Birla Group Company, India's first truly multinational corporation. The group operates in 26 countries, and is anchored by over 130,600 employees belonging to 40 nationalities. The Group has been adjudged the '6th Top Company for Leaders in Asia Pacific Region' in 2009, in a survey conducted by Hewitt Associates, in partnership with The RBL Group, and Fortune. The Group has also been rated 'The Best Employer in India and among the Top 20 in Asia' by the Hewitt-Economic Times and Wall Street Journal Study 2007.
Disclaimer
SourceNo data has been dumped; zSecure Team randomly tried the security of ideacellular web portal and in our very first attempt they discovered this critical flaw. Since this flaw was discovered in their very first attempt, existence of other flaws can't be denied.
Database has been accessed just to take screenshots so that they can make company believe that the aforesaid flaw actually because most of the companies use to treat the like advisories/disclosure as junk and don't believe the researcher's which may later cause them huge.
As well said zSecure Team respect the confidentiality of Ideacelluar that's why they restricted the contents of their screen-shots to database tables only. W e hope that company Ideacellular will take some immediate steps to fix-up this critical vulnerability asap.