Full Disclosure mailing list archives

RE: NASA.GOV SQL Injections

From: "Jonathan A. Zdziarski" <jonathan () nuclearelephant com>
Date: Fri, 17 Oct 2003 09:08:07 -0400

Dont you think that some people in nasa might also be reading this list?


Hmm if I was in the top 1% of the smartest people in the world, I don't
know if I'd have the time to read all the flames and spam that occur on
this list.  They probably have a team of their own computer geniuses
auditing code on a daily basis, at which point it's only a matter of
time before they realize the flaw.

Just because you can cause a sql error it doesnt necessarily mean you have found a security flaw: it might not be 
possible to
exploit it...


Hopefully they haven't given the user any privileged access (to delete, call shell functions, etc.), 
but come on though, if it's possible to inject SQL code there's most likely some way to exploit at least the database.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

NASA.GOV SQL Injections Lorenzo Hernandez Garcia-Hierro (Oct 14)
- Re: NASA.GOV SQL Injections mcbethh (Oct 16)
  - RE: NASA.GOV SQL Injections Russ Spooner (Oct 17)
    - RE: NASA.GOV SQL Injections Jonathan A. Zdziarski (Oct 17)
- <Possible follow-ups>
- RE: NASA.GOV SQL Injections Schmehl, Paul L (Oct 17)
  - RE: NASA.GOV SQL Injections Jonathan A. Zdziarski (Oct 17)
    - RE: NASA.GOV SQL Injections Ron DuFresne (Oct 17)
    - RE: NASA.GOV SQL Injections Jonathan A. Zdziarski (Oct 17)
    - RE: NASA.GOV SQL Injections Ron DuFresne (Oct 17)
    - RE: NASA.GOV SQL Injections madsaxon (Oct 17)
    - Re: NASA.GOV SQL Injections Gregory A. Gilliss (Oct 17)
    - Re: NASA.GOV SQL Injections Ron DuFresne (Oct 17)
    - Re: [SD:jason.full-disclosure] RE: NASA.GOV SQL Injections Jason Freidman (Oct 17)
    - Re: NASA.GOV SQL Injections Valdis . Kletnieks (Oct 18)

(Thread continues...)