funsec mailing list archives
Typosquatter vulnerable to SQL injection!
From: der Mouse <mouse () rodents-montreal org>
Date: Sun, 21 Mar 2010 11:10:21 -0400 (EDT)
I tried to look at a webpage, typoed the domain name, and got select chrOrgType from tblOrgName where chrOrgName='The Rodents' Nest' limit 1You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'Nest' limit 1' at line 1 Guess who's vulnerable to an SQL injection attack! (I must admit a temptation to take a leaf from xkcd #327 and change my org name to "xyz'; DROP TABLE tblOrgName; --" and hit the page again, but between the effort involved and the fundamental ethical issues with vandalizing even a typosquatter's system, didn't.) /~\ The ASCII Mouse \ / Ribbon Campaign X Against HTML mouse () rodents-montreal org / \ Email! 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Typosquatter vulnerable to SQL injection! der Mouse (Mar 21)