From: Cory Foy (usergroupcornetdesign.com)
Date: Mon Oct 25 2004 - 18:42:53 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Recently I came across two web sites that had various vulnerabilities.
One was subject to a basic SQL injection attack to log in to their
customer side, and the other was displaying ASP code in the page that
listed not only various function definitions, but login, URL and
passwords (including sa) for their database.

In both cases I have working relationships with the managers and sent an
email off to them. In both instances the managers replied that they were
aware of the issues and the SQL injection attacks, but didn't feel it
was a priority to fix.

On one of the sites I could understand. It is basically a portal to
publically available information, and no secure information is stored in
their system. The second was on a machine that passed authentication
information to a remote banking site and though I don't know, would
surmise that it might be possible to jump off of it if compromised.

Have we really become so lax in our thinking that security issues such
as these can be shrugged off? Don't get me wrong, I'm not suggesting
that either of these cases should kill all development and immediately
fix it (though in the case of SQL injection attacks it is so easy to
fix...). But some response should at least be justified (for example,
with the banking site, whose vuln is still present). Or is it fine to
postpone worrying about problems such as these if you don't think they
will have an impact?

Cory

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]