U.N.PatchedI've been attaching some updates to my United Nations VS SQL Injections article, but this story deserves another clarification post, now.

A few hours ago I've been contacted by Ronda Hauben (Telepolis/OMNI), asking if I had any news about the vulnerability and how the agency was handling it.
I answered her just like I answered the inquiry I received from Anne Broache (CNET/News.com) yesterday:

I can confirm the vulnerability is still there.
The U.N. staff just deployed a cosmetic patch to hide the bug from the most obvious tests, but this measure cannot prevent an attack.
I reported this problem to U.N. on Monday morning (8.06 AM UTC), offering cooperation to evaluate and fix it under the provisions of the RFPolicy.

They did not come back to communicate with me yet, but on the other hand the aforementioned policy grants them 5 days to do it.
As I said the site is still vulnerable, but I won't disclose any other technical detail until this "grace time" is expired.

Shortly after I sent Ronda my reply (around 22.00 UTC), I was about to hit my bed when I decided to check again...
To my surprise, all my U.N. bookmarks landed on 404 (not found) pages, and when I tried the www.un.org home page itself I was welcomed by this message:

The UN website is undergoing urgent maintenance and is currently unavailable.
Please check back in a short while.
(screenshot)

Urgent. Now that's a progress. Last time I checked it was just a "scheduled" job.
First they left the code untouched for one whole day, even after they had restored secretary's speeches in the database.
Then they try to merely hide the hole.
But now, they finally seem to act over the problem for real. Good.
Who cares if they didn't managed to drop me a single line, they probably had no time.
I'm just happy enough: CNET reported U.N. spokeperson Alex Cerniglia saying that "the agency welcomes input from security specialists like Maone" (citebite) and Washington Post (Reuters) kindly adds to my resume that I've "worked with the world body" (citebite from Yahoo! News, since the original article has been taken down both from W.P. and Reuters...)
Ehy, after all they can afford the cream of the crop of world class expertize, so why bother?

"Please check back in a short while" they wrote. Here I am.
Home page is back. Wow, that's been fast. I'm impressed.
So, let's open the now well known Secretary General's section...

Ouch! Latest speeches missing?! they were there some minutes ago...
OK, maybe they're just following a saner approach this time, like "Fix first, then restore your data". Great work guys!

Let's check this fix, then.
Hey, wait, what fix? Looks like there's no fix at all yet!
The same old vulnerability greets me with its bored grin: I could exploit it like I could this morning, and yesterday and the day before, if I wasn't the nice person I am.

Maybe they're using these sneaky techniques to take time until Saturday, when according to RFPolicy their silence will implicitly allow me to brief my readers (including them, I hope) with assessments and suggested fixes for this problem.

Or, more probably, they're just smarter than us, and set up a sophisticated honeypot to track and capture all those cyberterrorists who will try to exploit their seemingly unpatched hole!

However, today the World is a safer place.

16 Aug 2007, 14:20 UTC update

Still vulnerable.

17 Aug 2007, 13:10 UTC update

Still vulnerable.

7 Responses to “U.N.PATCHED (or Can You Secure a Glass Palace?)”

  1. #1 hackademix.net » SQL Injection Toy says:

    [...] No, this title is not about to the United Nations web site. [...]

  2. #2 Azad says:

    i thınk not patced stıll there are holes of sql ınj

    what did they said :D searcher finds :P

    sorry bad english :D

  3. #3 rose58kitty says:

    I don't like your "no-scipt" It won't let me get what I want and gives me what I don't want...in short I can't get in my church music and every porn idiot in the world seems to have my number! I am a girl and I do not like girls and I am an old girl and I don't like men either so could some one tell firefox I am one unhappy customer and the take your life and you knopw what you can do with it!
    An angry little old lady!:(!

  4. #4 hackademix.net » United Nations, I Hate to Say I Told You So says:

    [...] Nations main web site. In a later update I explained how, rather than fixing their holes properly, the U.N. technicians deployed a pretty useless Web Application Firewall, masking the most obvious attack surface but keeping their sites just as vulnerable as [...]

  5. #5 hackademix.net » Mass Attack FAQ says:

    [...] it’s a merely temporary work-around — the solution is fixing the code (learn from the United Nations tale). If you’ve got no clean database backup, you could try to recover by brutally reversing the [...]

  6. #6 Microsoft issues advice on SQL injection attacks « in.spite says:

    [...] from hackademix.net (VERY handy if you do not have a clean backed up version of your database) and U.N.Patched (the story of how the UN got their site [...]

  7. #7 Chuck Snyder says:

    Wow, over a year and still there.....pretty sad really.

Bad Behavior has blocked 1377 access attempts in the last 7 days.