Re: Re: Security/Development Question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 2010-04-29 at 08:49 +1000, Ross McKay wrote:

> On Wed, 28 Apr 2010 16:54:56 -0400, "David Stoltz" wrote:
> 
> >[...]
> >We recently have added a very small web application that is vendor
> >supported. They said it's not working, so I investigated. I found that
> >our software protection was blocking their pages because they are
> >actually passing entire SQL queries in their form POSTs. Now, the app is
> >SSL protected, and they claim the queries are not executed - only
> >inserted into the database to be used later. They also said it's
> >protected by the ASP.NET framework authentication.... [...]
> 
> Unless they're storing the SQL queries so that they can show them later
> on, e.g. as text in a forum post, I think you have a major WTF on your
> hands! Please submit here!
> 
> http://thedailywtf.com/Contact.aspx
> 
> :)
> -- 
> Ross McKay, Toronto, NSW Australia
> "The chief cause of problems is solutions" -Eric Sevareid
> 


You could always try crafting your own query and attempt to insert
something of your own. If they complain after that you've broke their
system, you'll be able to tell them that it really wasn't that secure in
the first place.

Thanks,
Ash
http://www.ashleysheridan.co.uk



[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux