funsec mailing list archives

Typosquatter vulnerable to SQL injection!

From: der Mouse <mouse () rodents-montreal org>
Date: Sun, 21 Mar 2010 11:10:21 -0400 (EDT)

I tried to look at a webpage, typoed the domain name, and got

   select chrOrgType from tblOrgName where chrOrgName='The Rodents' Nest'
   limit 1You have an error in your SQL syntax; check the manual that
   corresponds to your MySQL server version for the right syntax to use
   near 'Nest' limit 1' at line 1

Guess who's vulnerable to an SQL injection attack!  (I must admit a
temptation to take a leaf from xkcd #327 and change my org name to
"xyz'; DROP TABLE tblOrgName; --" and hit the page again, but between
the effort involved and the fundamental ethical issues with vandalizing
even a typosquatter's system, didn't.)

/~\ The ASCII                             Mouse
\ / Ribbon Campaign
 X  Against HTML                mouse () rodents-montreal org
/ \ Email!           7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Typosquatter vulnerable to SQL injection! der Mouse (Mar 21)