Symantec website 'hosts SQL injection flaw'

A hacker claims to have found a SQL injection flaw on Symantec's website.


A hacker claims to have found a SQL injection flaw on Symantec's website.

Symantec websute SQL hosts injection flawThe Romanian hacker, who is known as Unu and previously exposed a flaw on security vendor Kaspersky's website, said he had found the bug in Symantec's Document Download Centre, a password-protected part of the company's site where channel partners can download sales materials for the company's products.

Symantec said it was not a security issue and no company or customer information was exposed, but the still pulled down the website.

"Symantec immediately took the site down, conducted comprehensive testing and determined that the issue is not a security vulnerability," the company said. "It appears that the individual who reported it based the report on an error message."

Symantec representatives were unable to comment in detail on the matter, but at worst, the issue is an embarrassment for Symantec, the world's best-known computer security vendor.

"The irony of the situation is that it's done on ... a page that promotes security products like Norton AntiVirus 2009 and Norton Internet SECURITY," Unu wrote in his blog. "What can I say? Nice advertising."

In a SQL injection attack, the hacker takes advantage of bugs in web programs that query SQL databases. The point is to find a way to run commands within the databases and access information that would normally be protected.

These flaws have been used in widespread web attacks, that have allowed criminals to place malicious code on thousands of websites over the past year.

Based on Unu's description of the matter, it's unclear whether he found a legitimate SQL injection flaw, said Robert Hansen, chief executive at SecTheory, a web security consultancy. "He could be absolutely right. This could be SQL injection, but so what," he said. "Maybe [sales materials are] really valuable to an attacker, but I doubt it."

Just over a week ago, Unu found a similar problem in Kaspersky Lab's site, as well as in a partner site for security vendor BitDefender, and in the F-Secure website.

The attacks have exposed data that the vendors had wanted to protect such as customer email addresses, product activation codes and research data, but not financial information.

"While the attack is something we must learn from and points at things we need to improve, it's not the end of the world," F-Secure wrote in a blog. In the F-Secure attack, the hacker was able to get access to statistics the company keeps on malicious software.

"Recommended For You"

Phishing botnet expands by hacking legit sites Twitter fixes cross-site scripting flaw