Home
Sunday, December 17, 2017
3:57:38 AM
Users online: 0   You are here >> Home > Security

Forums | Security Forums search
Forum FAQ
   
 Previous Page 1 | 2 | 3 Next Page 
SQL Injection discussion...the who's the what's the how's
Apoptosis 
14/6/08 3:11:43 PM
Champion

My bad. I had the page open before you posted so I didn't see your post before I posted mine :)

Well, I browsed using FF in my vm with java script on and it's not broken it yet :( lol

-----

TheSecret 
14/6/08 4:22:13 PM
Learner
This is what happens when you roll your own without bothering to test extensively.

-----

plebsmacker 
14/6/08 5:45:30 PM
Hero
Immortal


wow, interesting move.

-----
Give me ambiguity or give me something else

Nich... 
15/6/08 3:43:44 AM
Hero
Immortal


Quote by TheSecret
This is what happens when you roll your own without bothering to test extensively.


Is that what happens when you post without bothering to know what's actually going on?

-----
WTB Juliette et Chocolat in Australia, PST

-80 
15/6/08 9:54:01 AM
Banned

I wondered where this thread went.

-----
Mercury - you've got my number

TheSecret 
15/6/08 12:53:06 PM
Learner
Quote by Nich...
Quote by TheSecret
This is what happens when you roll your own without bothering to test extensively.


Is that what happens when you post without bothering to know what's actually going on?



No. Feel free to clarify if I have somehow missed something though.

-----

eckythump 
15/6/08 11:10:44 PM
Overlord

Quote by Nich...
Quote by TheSecret
This is what happens when you roll your own without bothering to test extensively.


Is that what happens when you post without bothering to know what's actually going on?


I tend to agree with him. If you're going to roll your own, you really do need to be extra careful with such things, because unless you've got as many eyes looking at the source code, and as many minds pondering ways people might try and fuck things up, then you're inherently more likely to overlook something.

I wouldn't ever use IIS + ASP for hosting a serious website, so my familiarity with ASP DB functionality is zero, but one would hope it provides a non-retarded DB API.

Anyone who's spent a lot of time using Perl DBI will know the joy of prepare() and execure() methods. Add in taint mode for extra safety and you'd have to do something epically stupid to end up vulnerable.

And it's always nice to link to an xkcd comic, even if it's linked to regularly. :)

http://xkcd.com/327/

-----
"Grandfather had an accident, he got burnt." "Oh no, how bad?" "Well, they don't fuck around at the crematorium."

TheSecret 
15/6/08 11:25:55 PM
Learner
That's pretty much it.

This forum still has some holes in it, and they wont be fixed until they are exploited the next time. It's one thing to roll your own for reasons of pride and bringing together a community and in keeping with a spirit, but when the result is subpar, it achieves the opposite.

-----

Nich... 
16/6/08 6:01:27 AM
Hero
Immortal


So, generally speaking, all of the affected websites across the world were hand-rolled, just like this one?

It sounds to me like the issue was a database one. As in, the backend of the site wasn't patched to fix a vulnerability. As in, it's not really related to the forum software sitting on top of the SQL database so much?

-----
WTB Juliette et Chocolat in Australia, PST

chrisg 
16/6/08 6:15:17 AM
SuperHero
Immortal


Yes and no Nich.

The exploit was at DB level, but, well maintained forum code, like SMF, provides a shield that seems to have kept it out.

The next week will be interesting, thus far I've not seen a single SMF forum affected, but, that could just be happenstance. Similarly haven't seen any Sharepoint based sites having trouble, but, two big Websphere sites are in deep shit.

A lot of it is pretty random, depending upon user interaction as much as anything, which is why aware and wise admins have lost a weekend on commercial sites getting ready for renewed user activity.

So much as anything it is an object lesson on keeping patches up to date, the exploit is not new, anything but.

Just analysing what has been happening this year with sql injections is thesis material :-)

Cheers

-----
You can always tell a guy who has been troubleshooting too long - he has a shotgun in his toolkit.

exIex 
16/6/08 3:13:48 PM
Master

The latest Adaware along with updated AVG 7 missed adware.generic3.dwm but as MEC let us know AVG 8 will do the job. It removed the malware which I believe I recieved via this attack.

There is a free version of AVG 8 now.

-----
the divine light in me salutes the divine light in you

TheSecret 
16/6/08 3:25:45 PM
Learner
Quote by Nich...
So, generally speaking, all of the affected websites across the world were hand-rolled, just like this one?

It sounds to me like the issue was a database one. As in, the backend of the site wasn't patched to fix a vulnerability. As in, it's not really related to the forum software sitting on top of the SQL database so much?



Except if the forum software had had appropriate safeguards in, it might not have happened.

There is a reason it is usually considered bad to reinvent the wheel, especially in programming.

-----

segger 
16/6/08 5:01:28 PM
Champion

Quote by TheSecret
There is a reason it is usually considered bad to reinvent the wheel, especially in programming.



There are also financial and technical reasons why it is sometimes necessary.

-----
Random spam subject #5:
Update your Penis

TheSecret 
17/6/08 4:52:40 AM
Learner
Not in this case. There is no technical reason, and no financial reason, to spend more hours on development time to create something weaker than what's out there.

-----

segger 
17/6/08 11:42:35 AM
Champion

I'm sorry, I obviously didn't notice that you work for AJB/Haymarket and have full knowledge of the developmental history of the website.

Of course, if this assertion is incorrect then you wouldn't be in a position to know:

* whether existing forum software met Haymarket's business requirements

* whether such software was customisable enough to fit what they needed it to do

* whether they avoided it because it was mostly bug-ridden (e.g. PHPBB prior to v3)

* what the development time actually costs versus the price of buying and supporting commercial software

* whether an appropriate solution was available based on the platform the site is running on

* how 'strong' the forum code actually is compared to other offerings, since you wouldn't have analysed and compared both

* any of a multitude of other factors which may have been taken into account


Edited by segger: 17/6/2008 11:43:39 AM

-----
Random spam subject #5:
Update your Penis

TheSecret 
17/6/08 12:27:06 PM
Learner
I don't work for AJB/Haymarket, I do however work as a security consultant in my professional capacity, have done for a long time, and am quite good at it.

The points you make have nothing to do with the security of the forum, except to reinforce the fact that it is inferior, from a technical and security standpoint, to other offerings such as some of the commercial offerings (which may not have been cheaper when the forums started out, but certainly would be now), or the free opensource offerings, which are mature and stable, and free.

There are many offerings which met Haymarkets business requirements, which are mature and tested(or at least more tested than a forum written just so there could be a forum), which would have been cheaper in every way, and which wouldn't have anywhere near the problems the current forum has.

I'm not trying to hate on atomic or the forum, but stop trying to defend something that is fundamentally flawed, and the result of a bad decision. I don't know why I replied to you though, none of you points, nor if I was working for AJB/Haymarket would negate what I said.

-----

segger 
17/6/08 1:25:22 PM
Champion

You have asserted that:

a) AJB/Haymarket had no reason for developing their own forum
b) the forum is more insecure ("weaker") than other commercial or free offerings
c) AJB/Haymarket's requirements could have otherwise been fullfilled by alternative software

Maybe, hypothetically, all of the above points are 100% true - but even if you have all the knowledge in the world regarding every other piece of forum-providing software out there, without the knowledge of why each decision was made or the inner workings of the code in use here, you're not in a position to assess any of the above points.

-----
Random spam subject #6:
bomb her womb from your huge cannon!

TheSecret 
17/6/08 1:54:08 PM
Learner
I did not say that AJB/Haymarket had no reason, just a bad reason. It's also logical, and apparent, that the forum is necessarily more insecure than other offerings, and of course the requirements could be fulfilled by other forum software.

The problem I had, was that the forum was originally written to keep within the spirit of the community, to show the talent of atomic and to be unique. Since the forum is actually worse than a lot of other forum software out there(a sentiment shared by many on this forum), then they have only succeeded in the last point.

-----

segger 
17/6/08 4:31:45 PM
Champion

Quote by TheSecret
I did not say that AJB/Haymarket had no reason, just a bad reason.



That's how I inferred your statements below...

Quote by TheSecret
Not in this case. There is no technical reason, and no financial reason, to spend more hours on development time to create something weaker than what's out there.



I suppose I should have read it as "There is no valid reason...". Either way, it's still your opinion as we have no direct facts on the reasoning behind the various forum-related decisions.

Quote by TheSecret
It's also logical, and apparent, that the forum is necessarily more insecure than other offerings



I'd say it's a possibility, but not a certainty. Even if the forum had been successfully exploited a signficant number of times each year, one can't say for certain that it's inherently more insecure than other software without looking at the vulnerabilities which were raised (and are likely to be much higher profile due to more widespread usage) for that software.

Quote by TheSecret
The forum is actually worse than a lot of other forum software out there



In the opinion of some.

-----
Random spam subject #6:
bomb her womb from your huge cannon!

Nich... 
18/6/08 7:29:14 AM
Hero
Immortal


Quote by TheSecret
The problem I had, was that the forum was originally written to keep within the spirit of the community, to show the talent of atomic and to be unique.


Are you sure?

I always got the impression it was limited to budget constraints.

And, you know, how awful some other software was at the time.

-----
WTB Juliette et Chocolat in Australia, PST

 Previous Page 1 | 2 | 3  | Next Page 
Forums | Security