Wednesday, July 11, 2012

4XP Critical SQL Injection Vulnerability Exposed










zSecure team has recently discovered a critical SQL Injection Vulnerability in the web portal of 4XP, a leading online forex broker having more than 1 lakh customer base. Financial transactions are carried on the broker's paltform on daily basis including but not limited to Credit Card Transactions. The critical vulnerability allows to get complete access to brokers database which can be misused to access their customers confidential information including their login id's, passwords, home address, email-id's, mobile no's, credit card details etc. This critical vulnerbility could prove devastating to the company if they doesn't fix it asap. Below are the details about the company & discovered vulnerability.


About the Company

4XP is an online forex broker that specializes in providing an all-inclusive trading package backed by a caring and devoted support team. 4XP was founded by a group of retail-ended entrepreneurs and capital market dealers sharing a vision for creating a customer-oriented brokerage service that would provide a compelling trading solution. 4XP strives toward creating the most professional and transparent trading environment possible.


Vulnerability details
Website: www.4xp.com

Vulnerability Type: Hidden SQL Injection Vulnerability

Database Type: MySql

Alert Level: Critical

Threats: Complete Database Access, Database Dump, Shell Uploading


Worst case scenarios

Any malicious smart black hats can create much more devastating attacks using this critical flaw such as:

- Uninterrupted access to the database

- Database Dump;

- Possibility of shell uploading which may result in defacement of website; and

- Much more . . .


Proof of vulnerability















Source

No comments:

Post a Comment

Please Stop Spamming , Swearing And Abusing.

Recommended Post Slide Out For Blogger