A hacker has managed to pass through a simple sql injection priv lwa data of tens of thousands of users of Tivoli.nl on to questions. Also, the database of the Utrecht-based pop venue hundreds of thousands of e-mail addresses.
One of the scripts from the website it appears to be susceptible to sql injection, making the hundred tables in the database, called tivoli0db, can be read. The evidence for this has Ingratefully on Pastebin published, though no private information is released.
One table with profile information includes name, address, place of residence and the mobile number of almost 47,000 people, and a table with nieuwsbriefgegevens contains the addresses of almost 112.000 people. In addition, hit Ingratefully have a table with data of people that a digital petition had been signed: this table contained from a further 9500 people their name, place of residence and address.
In addition, as discovered Ingratefully, contained the database also inlogdetails for Google Analytics, the login details of any ftp accounts on the server, and the credentials of the smtp mail server. “It is a pity to see that big websites are still easy to crack using simple sql-injections”, says the ‘hacker’ to Tweakers.net. “Let this be a message to other companies and websites: put money and time in your security. The next time it is not a grey hat, but will you allow users between the spamlijsten and your website gedefacet.” Furthermore, Ingratefully that he has no data from the database Tivoli.nl has saved or has changed.
After Tweakers.net Tivoli had informed, the music venue directly contacted with Eagerly Internet, the company that some parts of the website has been developed. This company then within an hour the measures taken for the leak to be sealed.
