Wednesday, March 9, 2011

Sql Injection in Facebook applications!

We found a vulnerability in 2 facebook applications. One is patched now so we are disclosing the vulnerability.


There was a SQL Injection vulnerability in apps.facebook.com

Vendor::twmarketplace
Location:: http://apps.facebook.com/twmarketplace/post.php?postid=
Severity:: Critical
Impact:: Database access/server control


It was possible to extract all data of all databases located on that servers


Changelog::
7/3/2010 - Facebook vendors notified
8/3/2010 - Response from verdor
8/3/2010 - Vendor patched the vulnerability
9/3/2010 - Public disclosure

3 comments:

  1. did you use sqlninja or sqlmap for database enumeration or you did everything manually?

    ReplyDelete
  2. Great information here, thanks for sharing this valuable information!

    Facebook Applications Starting $39.99 ONLY!

    ReplyDelete