Full Disclosure mailing list archives
RE: Sql Injection big5 consultancy
From: "Schmehl, Paul L" <pauls () utdallas edu>
Date: Mon, 23 Jun 2003 10:39:50 -0500
I would report it to them. It accomplishes several things; it establishes your credibility vis a vis your qualifications, it establishes your *honesty* (you were willing to warn them rather than take advantage of it), it gives you an opportunity to see how *they* will react when you warn them of an exploitable hole (do you really want to work for a company that would ignore such obvious blunders?) and it places you head and shoulders above their existing staff. Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/
-----Original Message----- From: joseph blater [mailto:t5con () hotmail com] Sent: Monday, June 23, 2003 12:49 AM To: full-disclosure () lists netsys com Subject: [Full-disclosure] Sql Injection big5 consultancy Hello list, While updating my resume at a regional HR site of a top5 consultancy, I faced a programming bug (terribly written asp dissapeared with my session id), which returned an OLE Error. I decided to make a little test, so I started playing with sql injection. Surprisingly, it worked. Every Sql Server attack I attempted worked, no stripping or customized exceptions. So far, I counted over 50 fields in the same table... damned be their dba. This table has all candidate resumes and, deducing by the names of the fields, all employees resumes with current classification inside the corp (Potential,Supervisor,Inscription and so on).
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Sql Injection big5 consultancy joseph blater (Jun 23)
- Re: Sql Injection big5 consultancy Blue Boar (Jun 23)
- Re: Sql Injection big5 consultancy Justin (Jun 23)
- <Possible follow-ups>
- RE: Sql Injection big5 consultancy Schmehl, Paul L (Jun 23)
- Re: Sql Injection big5 consultancy joseph blater (Jun 24)
- Re: Sql Injection big5 consultancy Shawn McMahon (Jun 24)
- Re: Sql Injection big5 consultancy M. Osten (Jun 24)
- Re: Sql Injection big5 consultancy Blue Boar (Jun 23)