Software vendor Kluwer had his website is not properly secured. With a simple sql injection could the login screen for customers can be circumvented. Data of thousands of customers could, therefore, be approached.
In the password field of the Belgian branch of Kluwer Software the string ‘ or 1=1– enter, the login screen will be bypassed. It is a basic security error. Tweaker Tharulerz reported the vulnerability to Tweakers.net and then Kluwer Software, part of the multinational Wolters Kluwer, was informed. Within an hour after the message was the vulnerability fixed.
“We had the maximum password length is adjusted to twelve characters to this kind of attacks to avoid,” says George John, the webmaster of Kluwer Software. That was in this case not sufficient, because it is a string of ten characters. In addition, the limit of the length of passwords is questionable, given that the strength of the passwords are affected.
Once logged in, could a malicious patches download and private information of the registered user to understand. The user-ids were ascending and any id that Tharulerz entered, worked. The database would be 40,000 customer information; webmaster Jans keeps it at 10,000.
Although the vulnerability except to address not gave access to sensitive information, makes the fact that it is a simple sql injection, the question painful for a large software vendor and Kluwer.