[funsec] Lieberman Campaign Says Web Site Hacked
Richard M. Smith
rms at bsf-llc.com
Tue Aug 8 16:14:08 CDT 2006
SQL Injection to a MySQL database? Hmm, was any donor information stolen?
I wrote about security issues at political Web sites back in 2004:
From: Dude VanWinkle [mailto:dudevanwinkle at gmail.com]
Sent: Tuesday, August 08, 2006 5:10 PM
Cc: Richard M. Smith; funsec at linuxbox.org
Subject: Re: [funsec] Lieberman Campaign Says Web Site Hacked
On 8/8/06, Drsolly <drsollyp at drsolly.com> wrote:
> > "Voters cannot go to our Web site. They cannot access information,"
> > said. "It is a deliberate attempt to disenfranchise voters.
> I feel *so* disenfranchised.
this link was over on FD:
Quick Update/Summary: The site is setup on a single vulnerable server,
with, apparently, no backup plan. At best, completely incompetent. At
worst, downright Rovian. But since another site is running fine, on
the same server, it's downright bizarre that they couldn't fix Joe's
site in the last 18+ hours - it's obviously not a bandwidth (DoS or
limitation) issue. It appears the party line is that the site was
affected by a "SQL Injection" attack. Whether this was done via the
open and non-firewalled MySQL port on the single linux server, or via
poor form validation, we'll never know (if it was done at all).
Regardless, there is no reason the database can't be cleaned up,
restored or otherwise fixed, in 18 hours, as Matt Stoller points out.
More information about the funsec