Belegger.nl has more than 200,000 users are required a new password will be set up under the guise of maintenance on the database. In reality it turned out to be the website prone to sql injection so the database was accessible.
Tweaker Squ1zZy told Tweakers.net that he has proved capable of using sql-injection to access the database Belegger.nl. Because of this, he had access to the usernames and passwords of more than 200,000 registered users. Also admingegevens of the website were accessible.
After he publisher Sanoma aware of had brought, he has been in contact with the ict manager. Although the result of that contact, though some technical adjustments to the site and registered users, a new password must be set, found Squ1zZy that the database is still accessible.
A spokesman of Sanoma confirms the opposite Tweakers.net not all discovered vulnerabilities are directly poem. “We have had contact with Squ1zZy and as a result last week and already made some improvements. We also have an extra audit. A part of the matters which flow from it emerged his earlier poem; the last end is fixed on Monday.”
According to the tweaker he had access to various databases on the server Belegger.nl, where in several tables in user data were stored. In total saw Squ1zZy 201.953 accounts, where a large part of the password in plain text was saved. “In a other table was, however, uses md5 hashing, but this form of protection is nowadays already no longer sufficient”, says Squ1zZy opposite Tweakers.net.
According to Squ1zZy create more sites of Sanoma use of the subject component, even if the Now.en-sites here then again no use. Sanoma emphasized that there is already quite some time on a new website for Belegger.nl is worked for 1 October the daylight must be seen. The results of the audit will also be at the new site to be monitored. The new site will also get a new log-in system that by default has the encrypted passwords. In the current database, it is now finally done.