RE: Sql Injection big5 consultancy

["Schmehl, Paul L" <pauls () utdallas edu>]

I would report it to them.  It accomplishes several things; it
establishes your credibility vis a vis your qualifications, it
establishes your *honesty* (you were willing to warn them rather than
take advantage of it), it gives you an opportunity to see how *they*
will react when you warn them of an exploitable hole (do you really want
to work for a company that would ignore such obvious blunders?) and it
places you head and shoulders above their existing staff.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 

> -----Original Message-----
> From: joseph blater [mailto:t5con () hotmail com] 
> Sent: Monday, June 23, 2003 12:49 AM
> To: full-disclosure () lists netsys com
> Subject: [Full-disclosure] Sql Injection big5 consultancy
>
>
> Hello list,
>
> While updating my resume at a regional HR site of a top5 
> consultancy, I 
> faced a programming bug (terribly written asp dissapeared 
> with my session 
> id), which returned an OLE Error.
> I decided to make a little test, so I started playing with 
> sql injection. 
> Surprisingly, it worked. Every Sql Server attack I attempted 
> worked, no 
> stripping or customized exceptions.
> So far, I counted over 50 fields in the same table... damned 
> be their dba. 
> This table has all candidate resumes and, deducing by the 
> names of the 
> fields, all employees resumes with current classification 
> inside the corp 
> (Potential,Supervisor,Inscription and so on).
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html