We found a vulnerability in 2 facebook applications. One is patched now so we are disclosing the vulnerability.
There was a SQL Injection vulnerability in apps.facebook.com
Vendor::twmarketplace
Location:: http://apps.facebook.com/twmarketplace/post.php?postid=
Severity:: Critical
Impact:: Database access/server control
It was possible to extract all data of all databases located on that servers
Changelog::
7/3/2010 - Facebook vendors notified
8/3/2010 - Response from verdor
8/3/2010 - Vendor patched the vulnerability
9/3/2010 - Public disclosure
There was a SQL Injection vulnerability in apps.facebook.com
Vendor::twmarketplace
Location:: http://apps.facebook.com/
Severity:: Critical
Impact:: Database access/server control
It was possible to extract all data of all databases located on that servers
Changelog::
7/3/2010 - Facebook vendors notified
8/3/2010 - Response from verdor
8/3/2010 - Vendor patched the vulnerability
9/3/2010 - Public disclosure
did you use sqlninja or sqlmap for database enumeration or you did everything manually?
ReplyDeleteIt was done manually.. :))
ReplyDeleteGreat information here, thanks for sharing this valuable information!
ReplyDeleteFacebook Applications Starting $39.99 ONLY!