eBay closes critical security holes
The online auction house eBay has fixed two vulnerabilities in its US web site. One of the vulnerabilities was a critical SQL injection hole in the site's selling area that gave potential attackers unauthorised read and write access to one of the company's databases. SQL injection holes allow attackers to inject database commands by exploiting inadequately filtered HTTP parameters.
The hole was discovered by security researcher David Vieira-Kurz, who confidentially reported the security issue to eBay. The researcher said that the company responded quite quickly and closed the hole after 20 days. Talking to The H's associates in Germany, heise Security, Vieira-Kurz said that he didn't verify whether the hole allowed potential intruders to access other eBay users' data.