Okla. agency site plugs coding error that left data exposed

Top Stories

Related

• New Windows worm builds massive botnet
• Windows market share dives below 90% for first time
• 7 ways to cut your software costs during the economic downturn
• Major e-stores malfunction on Black Friday and Cyber Monday
• How spyware nearly sent a teacher to prison
• Glory days: How high school shaped nine IT leaders

• Too good to ignore: 6 alternative browsers
• 7 ways to cut your software costs during the economic downturn
• Major e-stores malfunction on Black Friday and Cyber Monday
• MIT researchers boost the power of solar energy
• Netbooks: small, cheap -- and fast?

Zone

The Security Zone With the mobility of employees and the ease with which external devices can be brought in and out of a network, continuing to build your security plan for network servers and clients is a must. Fortunately, there is much that organizations can do to protect themselves from attacks - internal and external. Having the right policies, procedures and server configurations is critical... Learn more in The Security Zone See All Zones

April 16, 2008 (Computerworld) It's rare that someone looking to steal personal data from a Web site need only submit their own SQL query to pull the data of his choice from the underlying database.

But for the past three years -- until this week -- that's just what anyone with a basic knowledge of SQL could do while visiting the Oklahoma Department of Corrections Web site.

That's according to security blogger Alex Papadimoulis, who earlier this week wrote about how he had exploited a fundamental programming error on the site to download more than 10,500 records with Social Security numbers. The records involved people listed in the Oklahoma's Sexual and Violent Offender Registry.

Also exposed were records containing Social Security numbers and personal data on other types of offenders, as well as employees working at the department.

In an interview, Papadimoulis said the coding error, which now appears to have been fixed, affected the search pages of the Sexual and Violent Offender Registry and the General Offender registry. "The main problem was that the URL contained the computer code required to display data on the page, which is a big vulnerability," he said. "Anybody could change the code and have the page display whatever he would like it to display."

Papadimoulis posted screenshots of the records he had captured to prove his point.

Papadimoulis said it took less than a minute for him to figure out how to modify the code to download records containing data from the site. Instead of validating the request or even considering the user input, the site was designed to blindly execute whatever code a user might tell it to execute, he said. "This is the most extreme case of not validating user input. It really is the most basic of errors," he said.

According to Papadimoulis, the flaw allowed anyone to craft queries to access data in the offender databases as well as from other data stores they might be linked to. It could have even allowed for records to be modified, deleted or added. "I didn't try that," he said. "What I did was I told them this was really, really bad."

The first attempt at fixing the issue was not very successful, Papadimoulis noted in his blog. "Their brilliant developers plugged this pothole with a pebble by doing nothing more than a case-sensitive search/replace of 'social_security_number' with 'doc_number,'" Papadimoulis said.

When Papadimoulis again demonstrated how that fix did little to alleviate the problem, Oklahoma Department of Corrections officials finally pulled the site down for maintenance and corrected the issue.

Jerry Massie, public information officer for the agency, today confirmed the flaw and said it has been fixed. "[Papadimoulis] notified us on Thursday evening that he had been able to manipulate the database," Massie said. "There was a weakness in the application." He did not elaborate further.