Full Disclosure mailing list archives

RE: NASA.GOV SQL Injections

From: "Russ Spooner" <rspooner () unipalm co uk>
Date: Fri, 17 Oct 2003 09:22:40 +0100

Dont you think that some people in nasa might also be reading this list?

Just because you can cause a sql error it doesnt necessarily mean you have found a security flaw: it might not be 
possible to
exploit it...

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com]On Behalf Of
mcbethh () op pl
Sent: 15 October 2003 19:24
To: Lorenzo Hernandez Garcia-Hierro
Cc: full-disclosure
Subject: Re: [Full-disclosure] NASA.GOV SQL Injections


On Wed, 15 Oct 2003 01:45:02 +0200
"Lorenzo Hernandez Garcia-Hierro" <lorenzohgh () nsrg-security com> wrote:

Hi all again,
http://liftoff.msfc.nasa.gov/toc.asp?s=Tracking&apos;
admits sql characters injection but seems not easy to include
successful queries
security of nasa websites sucks ( sucks the web app security...)


Man... Who, other than nasa.gov itself, is affected by this bug ?!
Why are you posting it here? You even didn't contacted nasa.gov
admins... Hehehe.. It is obvious that my theory about you wanting fame
is correct. I remember similar post some time ago.. Some wise person
asked 'if you find server with wuftpd 2.4.2, do you send post to
full-disclosure that that host is vulnerable?'
Think dude.

mcbethh

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html



------------------------------------------------------------------
CRN Channel Awards 2003 - 10th Anniversary
Unipalm has been shortlisted for Specialist Distribution Partner
Vote for us at http://www.crn.vnunet.com by clicking the logo
-------------------------------------------------------------------
CONFIDENTIALITY AND DISCLAIMER NOTICE

This e-mail is intended only for the addressee named above and the
contents should not be disclosed to any other person nor copies
taken. Any views or opinions presented are solely those of the
sender and do not necessarily represent those of ComputerLinks (UK) Ltd.
(trading as Unipalm) unless otherwise specifically stated. As
internet communications are not secure we do not accept legal
responsibility for the contents of this message nor responsibility
for any change made to this message after it was sent by the
original sender. We advise you to carry out your own virus check
before opening any attachment as we cannot accept liability for any
damage sustained as a result of any software viruses.
-------------------------------------------------------------------

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

NASA.GOV SQL Injections Lorenzo Hernandez Garcia-Hierro (Oct 14)
- Re: NASA.GOV SQL Injections mcbethh (Oct 16)
  - RE: NASA.GOV SQL Injections Russ Spooner (Oct 17)
    - RE: NASA.GOV SQL Injections Jonathan A. Zdziarski (Oct 17)
- <Possible follow-ups>
- RE: NASA.GOV SQL Injections Schmehl, Paul L (Oct 17)
  - RE: NASA.GOV SQL Injections Jonathan A. Zdziarski (Oct 17)
    - RE: NASA.GOV SQL Injections Ron DuFresne (Oct 17)
    - RE: NASA.GOV SQL Injections Jonathan A. Zdziarski (Oct 17)
    - RE: NASA.GOV SQL Injections Ron DuFresne (Oct 17)
    - RE: NASA.GOV SQL Injections madsaxon (Oct 17)
    - Re: NASA.GOV SQL Injections Gregory A. Gilliss (Oct 17)
    - Re: NASA.GOV SQL Injections Ron DuFresne (Oct 17)
    - Re: [SD:jason.full-disclosure] RE: NASA.GOV SQL Injections Jason Freidman (Oct 17)

(Thread continues...)