Avira.com SQL Injection and Security Filter Bypassing

Cyber Security Analyst Ebrahim Hegazy has found an Avira.com SQL Injection vulnerability, Avira.com is the famous Avira Antivirus vendor’s web site.

Ebrahim Hegazy(@Zigoo0) Cyber Security Analyst Consultant @ Q-CERT who found a SQL Injection in Yahoo! about two months ago, has found a new SQL Injection vulnerability in Avira.com the famous Avira Antivirus vendor. The Avira.com SQL Injection allows remote attackers to inject own SQL commands to breach the database of Avira.com vulnerable application and get access to the user data or other data stored in inside the Database.

Zigoo0 succeeded to bypass the filter used in Avira.com website to block SQL Injection discovery attempts.

“When I try to manipulate the parameters by adding ‘ Single Qution to the Parameter value to figure out if the parameter is vulnerable to SQLI or no, I got redirected to the main page(filter detection), So I tried the back-slash instead \ and it works with an SQL error appeared. It means that the filter used to block SQL Injection discovery attempts is not behavior based filter but is a black/white word list based!” Zigooo revealed.

Zigoo0 sent me a video as a Proof of concept for the Avira.com SQL Injection vulnerability:

The time line for the Avira.com SQL Injection vulnerability is:

2013-05-25: Vendor Notification
2013-05-31: Vendor Fix/Patch

I decided to publish the news despite the Avira.com SQL Injection vulnerability has been fixed for two main reasons:

First I desire to highlight the prompt reply of Avira firm that fixed the flaw in a few days, this is not common as demonstrated by recent events and data breaches.

Second we must consider that SQL Injection vulnerabilities are responsible for a meaningful portion of observed attacks and the security teams and system administrators have to consider this category of vulnerabilities with great attention.

To have an idea of the number of attacks that exploit this kind of flaw I propose an interesting statistics published on Hackmageddon.com web site and related to the period Gen-May 2013.

“The Distribution of Attack Techniques assigns to the SQL injection the crown of the most used weapon for the month of May. DDoS is “only” at the third place with the half of occurrences. It is interesting to notice the high rate of attacks made by mean of account hijacking, at number four with the 12% of occurrences. a clear consequence of the long trail of high-profile attacks perpetrated by the Syrian Electronic Army.”

Pierluigi Paganini

(Security Affairs – Avira.com SQL Injection)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.