Results 1 to 4 of 4

Thread: SQL injection on HDFC Bank site allowed remote shell access Share/Save - My123World.Com!

  1. #1

    SQL injection on HDFC Bank site allowed remote shell access


    HDFC Bank is one of the leading Banks in India. HDFC stands for Housing Development Finance Corporation – and is one of the first banks in the private sector after RBI liberalized the Indian Banking Industry in 1994. Geeks at zSecure discovered a critical issue with the bank’s customer database on July 15, 2011 and immediately reported it to the bank. The vulnerability called “Hidden SQL Injection Vulnerability” could give complete access to the hackers, allowing them to create a dump and even do shell uploading. In their blog post, zSecure mentions that after alerting the bank about the critical flaw, it took HDFC bank 22 days to reply!

    The bank replied saying that they have fixed the issue. zSecure checked and found that the issue had not been fixed. They replied back with additional proof of vulnerability and received another email from bank after 2 days. The bank, in their response said -

    “We have remediated all the vulnerability reported on our website. Also we have got the application vulnerability assessment performed through one of our third party service provider and they confirmed that there are no more SQL Injection vulnerability.“
    Orkut id: neo1981
    Blog: infosec-neo.blogspot.com
    Nothing is Impossible*


    *Conditions Apply

  2. #2
    Infosec Enthusiast AnArKI's Avatar
    Join Date
    Jul 2010
    Location
    London
    Posts
    514
    Blog Entries
    2
    surprising and worrying news......

  3. #3
    ... I am no Expert b0nd.g4h@gmail.com b0nd's Avatar
    Join Date
    Jul 2010
    Location
    irc.freenode.net #g4h
    Posts
    744
    “We have remediated all the vulnerability reported on our website. Also we have got the application vulnerability assessment performed through one of our third party service provider and they confirmed that there are no more SQL Injection vulnerability.“
    That's pretty lame! I am just wondering what they would be doing with their service provider security team
    [*] To follow the path: look to the master, follow the master, walk with the master, see through the master,
    ------> become the master!!! <------
    [*] Everyone has a will to WIN but very few have the will to prepare to WIN
    [*] Invest yourself in everything you do, there's fun in being serious

  4. #4
    Security Researcher fb1h2s's Avatar
    Join Date
    Jul 2010
    Location
    India
    Posts
    616
    Blog Entries
    32
    I would not be surprised by this, every day I see a person claiming to have found a bug in HDFC, so just that this thing made it to the news.
    Hacking Is a Matter of Time Knowledge and Patience

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •