funsec mailing list archives
Re: Police secret password blunder
From: Valdis.Kletnieks () vt edu
Date: Wed, 05 Apr 2006 12:34:32 -0400
On Wed, 05 Apr 2006 09:00:09 PDT, Jeff Rosowski said:
Why stop there? It gets better if you are a little more patient: http://www.google.com/search?q=%22View+TABLE%3A%22+ID+%22Full+Name%22+email
+password+Organization+site%3Acustomscripts.police.nsw.gov.au&btnG=Search
Hey, Nicole and Webb have the same password as me!I'm still wondering why the passwords were being stored as plain text.
Perhaps because the programmer was a clueless dweeb who probably didn't even know that the literal string "zz' OR 1==1 --", when seen in a name, address, or phone number field, is a Super Secret Leet Code that means the computer should bend over, grab it's ankles, and prepare for an SQL injection.... Or more likely, reality and/or management dictates intervened. Many years ago, a file with plaintext passwords got 0wned on one of our servers. Why were they plain text? Well, there was a cryptic comment in one source code module that said something along the lines of "This is Bad. Fix it the next flag-day update we get approved". Of course, it took a 0-day hole in the Gopher server some time after the programmer had left to finally force approval the flag-day update that hadn't happened....
Attachment:
_bin
Description:
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Police secret password blunder Kane Lightowler (Apr 04)
- Re: Police secret password blunder Blue Boar (Apr 04)
- Re: Police secret password blunder Valdis . Kletnieks (Apr 04)
- Re: Police secret password blunder George Bakos (Apr 04)
- Re: Police secret password blunder Jeff Rosowski (Apr 05)
- Re: Police secret password blunder Stephen J. Smoogen (Apr 05)
- Re: Police secret password blunder Valdis . Kletnieks (Apr 05)
- Re: Police secret password blunder Brian Loe (Apr 05)
- Re: Police secret password blunder Anthony Rodgers (Apr 05)
- Re: Police secret password blunder Blue Boar (Apr 04)
- Re: Police secret password blunder Drsolly (Apr 05)
- <Possible follow-ups>
- RE: Police secret password blunder Kane Lightowler (Apr 04)
- Re: Police secret password blunder Fergie (Apr 05)