"I didn't want to make something bad!" c0de.breaker wrote in a web posting. "Only to show NASA (has) many vulnerable subdomains to SQLI (SQL injection), XSS (cross-site scripting), etc."
The hacker gained access through a combination of a SQL injection and poor access controls, said Gunter Ollmann, vice president of research at the IT security firm Damballa and former chief security strategist at IBM Internet Security Systems. He said c0de.breaker lifted 25 administration credentials off of both servers. "NASA needs to get these sites secure as soon as possible," Ollmann said. "Any script-kiddie can walk in there and start adding their favorite drive-by download exploits as it stands."
SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application.
The National Aeronautics and Space Administration has had major problems securing its websites for years. In October, the Government Accountability Office issued a report that said the space agencies reported 1,120 security incidents that have resulted in the installation of malicious software on its systems and unauthorized access to sensitive information in fiscal years 2007 and 2008. And, GAO said, NASA systems remain vulnerable despite the establishment of a security operation center last year to deter such incidents.
A request has been made to NASA for a comment, and it will be posted when an agency official responds.