Hacker claims SQL bug on Symantec site

A Romanian hacker who has spent the past few weeks exposing a common, but dangerous, Web programming error on security vendors Web sites says he's found a SQL injection flaw on Symantec's Web site. But Symantec says it's not a security issue.

Still, Symantec was forced to pull down a section of the company's Web site Thursday after a Romanian hacker, going by the name Unu, claimed that he'd found the bug in Symantec's Document Download Center, a password-protected part of the company's site where channel partners can download sales materials for the company's products.

The site hosts marketing materials and Symantec said that no company or customer information was exposed.

"Symantec immediately took the site down, conducted comprehensive testing and determined that the issue is not a security vulnerability," the company said in a statement Thursday. "It appears that the individual who reported it based the report on an error message."

Symantec representatives were unable to comment in detail on the matter, but at worst, the issue is an embarrassment for Symantec, the world's best-known computer security vendor. "The irony of the situation is that it’s done on ... a page that promotes security products like Norton AntiVirus 2009 and Norton Internet SECURITY," Unu wrote in his note describing the problem. "What can I say: nice advertising."

In a SQL injection attack, the hacker takes advantage of bugs in Web programs that query SQL databases. The point is to find a way to run commands within the databases and access information that would normally be protected.

These flaws have been used in widespread Web attacks, that have allowed criminals to place malicious code on thousands of Web sites over the past year.

Based on Unu's description of the matter, it's unclear whether he found a legitimate SQL injection flaw, said Robert Hansen, CEO of SecTheory, a Web security consultancy. "He could be absolutely right. This could be SQL injection, but so what," he said. "Maybe [sales materials are] really valuable to an attacker, but I doubt it."

Just over a week ago, Unu found a similar problem in Kaspersky Lab's site, as well as in a partner site for security vendor BitDefender, and in the F-Secure Web site.

The attacks have exposed data that the vendors had wanted to protect such as customer e-mail addresses, product activation codes and research data, but not financial information.

"While the attack is something we must learn from and points at things we need to improve, it's not the end of the world," wrote F-Secure in a blog posting, commenting on the matter. In the F-Secure attack, the hacker was able to get access to statistics the company keeps on malicious software.

The IDG News Service is a Network World affiliate.