September 29th morning news, the Ministry of Railways 12306 network exposed security vulnerabilities, triggering a strong reaction in the industry. Network security expert Zhang told the Sohu IT said the vulnerability has come to the most serious level of security, if not timely closure, are the repository of personal information, including booking information, "may" get people.
Sohu IT exclusive anatomy 12306 site structure
Zhang Baichuan said that its programming process is not rigorous, database knowledge is not enough to build the system, is limited to the use of, but not from a variety of perspectives. That the Ministry of railways must "open up! Monopoly, set aside, the initiative to invite like Sohu, Sina, Alibaba (Taobao), Tencent, Jingdong and other team, the current status of the study, to find a solution."
The following is the Sohu IT
written interview record full text:
Bai Chuan Zhang
Sohu IT: Ministry of Railways 12306 site is currently exposed to the level of vulnerability, how much harm?
Zhang Baichuan: see is SQL XSS injection, cross site vulnerabilities, the two in all kinds of website security assessment software, evaluation level is high. Because most can get some of the data, such as to get the administrator account, password (if you know the background address can log on), out of booking information, etc.. Seriously, the presence of personal information inside the library, including booking information, are likely to get. (say, because there is no one to open the database, but this is not to say that it is not possible, after all, the legal risk is too big, also won’t get said publicly)
Sohu IT:12306 site vulnerability is currently exposed to the vulnerability of the difficulty of how to attack
Zhang Baichuan: SQL injection and cross site XSS, the difficulty. The lowest, the use of tools for 1 minutes can run out of the data inside the database, the difficulty is high, you can use the tools and artificial attacks. The same vulnerability, the difficulty of making use of large differences. 12306 holes, at least not belong to the "retarded" category, or had been practicing junior high school children scored.
Why is there such a loophole in the
Sohu IT:12306 website? What is the reason behind the technical level?
Zhang Baichuan: the programming process is not rigorous, database knowledge is not enough to build the system, is limited to "energy", but not from a variety of perspectives.
At present, such as
, micro-blog burst out: SQL injection, XSS cross site vulnerabilities, is the lack of awareness of their own safety or low level lead. Some people say: graduation design?.
and, from some of the current security circle of friends to test the view, save itself