- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
A lot of people for many things.
Admin
That being said, we still have far too many of those Access beasts out in the wild. It would help if we stopped installing Access as part of the standard desktop but that's too easy.
Admin
After years of practice, I finally found a use for Access; rapidly writing queries to access MySQL via ODBC. If I was any good at writing SQL then Access would be truly useless...
Admin
Admin
I see your 2 megs and raise you 6. Yes, that's right, we had pages with 8 megs of postback...over dial-up.
Admin
This actually sounds like everything worked as intended. Yes, there are technical problems, but...
We're talking about an HR system. Which means people's private data. Which most companies are wary iof having internal IT able to view, as it allows IT staff to view everyone's salaries. So it is very common to outsource HR.
Likewise, IT's job is not actually to make technical decisions. It is to make technical recommendations, then let management decide which is more important -- the technical needs, or the business needs. In this case, the business need for HR to be outsourced is more important to management than the technical issues.
So yes, there are issues here. The biggest one being a lack of effort to find a better vendor. But it sounds like the evaluation process worked exactly as intended.
Admin
"Thank you" from someone who does not know .ASP. I understood the concept of code injection, but like Protector one I did not know how that particular item worked.
Admin
I don't think you understand the security implications here. Instead of hiding information, all information is now publicly available.
Admin
[quote user="Barrett Jacobsen"][quote user="Protector one"]Could someone explain why typing ' OR ''=' in the password field would give him access to anything? I don't see the magic happening there. :/[/quote]
sometimes I getted scared
Admin
It's quite useful to have an integrated visual query and report builder in your admin system; we use it with a mysql backend (via odbc). It's damn simple to extend (dao for standard sql, ado if you need db-specific dialect).
And, why not rs("username")? Saves you from RSD....
Admin
You don't think management is going to take the fall do you? Like in this case when everyone in the company becomes a victim of identify theft due to HR type info being served via a web page. We dumped our last HR system after their implementation team told us we needed to put the anonymous Internet user account in local admin on the web server. What could possibly go wrong?
Admin
SQL Injection FTW!
Admin
Admin
Yeah, not so much. All the projects I've worked on were fairly heavy SQL and Oracle installs, which is unsurprising considering that they're business partners.
~I
Admin
Admin
Admin
But surely ' OR ''=' would be hashed and compared to the hashed password stored in their database ...
Admin
Admin
I've always thought that people who bullshit for a living (i.e. marketing people) would be immune to other people's bullshit, but no, this has not been my experience. It seems to me that the people who are most vulnerable to marketing-speak are other marketing people.
Which leads me to the deeply worrying and shocking conclusion that marketing people actually believe their own bullshit! And naturally assume that other marketing "professionals" are telling the complete, total, 100% truth.
This conclusion makes me weep for humanity.
Admin
As a current Accenture employee, I can safely say I've never seen anyone use Access. I've had people ask about using Access, and merrily told them "don't", but no one actually using it. I'm sure they're out there somewhere. On the other hand, I do routinely work with Sybase.
Admin
So because some bloke in IT doesn't like Microsoft, he tried to obstruct HR from setting up a web portal the way they wanted to do it. He mislead management about the quality of Access (it isn't that bad) and the nature of the application (an internal HR site isn't really "production").
Did he consider the situation from HR's POV? Of course not. If he did, hed have realised that a system that's easy to set up will save the most time overall. The next Amazon or Google was not required here.
Submitter is the real-life incarnation of Mordor the denier of information services. When he didn't get his way, he broke his NDA on a web blog whose sole purpose is to indulge whiny geeks. What an obstructionist, passive-agressive l()()zer!!!1
Admin
Admin
When I try this form of SQL injection, I always give my password as
' OR 'X'='X
This accomplishes the same thing as the example given, but I think it's much clearer to the reader. I'm a firm believer in clear and maintainable code!
Admin
On the mildly serious side: Access is fine for an application that is going to run on the user's desktop, and only be accessed (no pun intended) by one user at a time. Indeed, it might actually be a good choice for this: It's easy to install and requires no configuration and little maintenance. I would definately not want to ask your ordinary user with no IT experience to install Oracle on his desktop and then keep it properly configured and tuned. But using Access for a web application is crazy.
It always grates on me when people say, "Tool X is the latest and greatest thing! We should use Tool X for every future project!" Just because a tool is good for project A doesn't mean it's good for project B.
Pick the right tool for the job. If you want to travel from New York to London, a commercial airliner is an excellent choice. But if you want to travel from your home to a town 10 miles away, a commercial flight would be foolish. Not only would it be far more expensive than driving yourself, but even if both towns had airports, sure, the flying time is likely almost zero, but the time spent going through security and picking up your luggage would likely be longer than what it would take to drive.
Admin
"there is no spoon."
Admin
Would you be John the TopCod3r?
Admin
So you agree that security is a numer one priority?
So you think that technical needs such as security and performance aren't business needs as well? And that it is invalid to criticize management when they make very obviously flawed decisions? Your argument sounds like "Tech guys just don't get it. There are more important things than that. Management knows best, trust them."
It's not like we were talking about the performance being a bit low but fairly usable, or the password hash algorithm being cryptanalyzed for 13 out of 40 rounds. We are talking about seriously flawed through lack of competence. To make good decisions, you need good advisors, but you also need to know a bit about the issues involved. Management is generally lacking in the IT competence department to say the least. IT problems are abstract and invisible, and managers often tend to be more visually-oriented. WARNING, CAR ANALOGY AHEAD. They would never buy a car that's losing oil and fuel almost as quickly as you can refill it, that has a chassis covered in rust and defective brakes. However, the IT equivalent of doing that is perfectly fine with them.
IOW: They asked IT for their opinion, and IT truthfully came up with pretty much the most scathing criticism you can think of. They purchased it anyway. So nothing that IT could have said would have prevented management from buying. This means that asking IT was completely redundant and a waste of resources.
Admin
Wrong. xkcd is never "good."
Admin
You're right, sorry. I have mixed them up in the past as well. . . you'd think it'd stick eventually.
Admin
Who actually uses access for anything serious? Me. Large organisation and no chance of getting anything better through IT.
And say what you like about Access. But I've quietly used it to take a number of mission critical Excel "databases" behind the woodshed and shoot them. To the overwhelming joy of the people forced to use them.
(Excel databases in some cases having in excess of 70 columns, more than a dozen of which were populated by VLOOKUPS, and requiring regular manual updates by a dozen people.)
Admin
Yeah. It's always GREAT.
Admin
But I didn't see this line:
How do they re-authenticate the user on a postback?
Admin
Admin
Because I'm slow, this is buggy and difficult to read.
Admin
Some thoughts on this... You don't do reviews primarily to convince people, but to make sure the paperwork exists to exonerate you in case of catastrophic failure. The concept of trying to improve your company because you depend on it for your livelihood is nice, but it doesn't apply to most programmers who can easily find a job elsewhere and you're not going to succeed anyway. Improving products for your users is lovely, but if your overlords wanted that they would have told you. If you think this robs your life of meaning, get a hobby or switch jobs. And consumers pretty much get what they deserve anyway. They choose what software to buy. They support the governments who decide what the penalties for leaking personal information and other kinds of software failure are. And if you still feel uneasy about it all, if you're smart enough to be a programmer, you're probably smart enough to be scientist. I've known two people who switched careers like that (one from architect - that is brick and mortar, not software architect - and another from programming drone) and I think they're happier now.
Admin
HR should be as concerned about security of their data as IS. Being able to get into the admin console via a simple password hack is not something I'd expect to find acceptable for a database that stores employee records. The use of Access wouldn't be so bad if it wasn't set up for a web app. Multiple users accessing that DB could cause problems as Access is not really set up for that sort of concurrent use. The Data is "Production" as its data that is used to run the company, how would you feel if the data was wiped out due to something crashing. Getting paid ? well maybe .....
Admin
The code they used would actually read:
So replace user_string with
And you get
In English, if the user's password from the database equals blank string OR if blank string equals blank string.
Blank string always equals blank string. Therefore, access granted.
Admin
#include <stdio.h> int main () { puts("http://xkcd.com/327"); return 0; }Admin
I don't know whatever Microsoft abomination that code is, but...
Are they expecting to match more than one user?
Admin
Of course not, but the developer probably copied the structure directly from a "Learn ASP in 24 H0urs!1!!!1 book -- From the chapter on how to retrieve records from a database.
Admin
well, the developer is using an access database with very blatant SQL injection all being powered by ASP. the guess is that they copy/pasted the code from someone else or an old project where there was a DB call and they didnt feel like re-writing it. I can understand this, i suppose, IF they put a LIMIT 1 on the SQL call.
also this is not the code from the actual project, if it was "rs" wouldnt be "Rs" by the end of the code block.
Admin
It's worse than that: Microsoft drove the LSE project top to bottom to demonstrate that they could play with the big boys. So Accenture may have fucked up, but you can lay the blame for the LSE mess at microsoft's feet - they chose the platform and the people to build on it, and they got involved at all levels of the project.
Admin
well no, that's still illegal, but it does make the data completely suspect if anybody can log on as anybody else and do that.
Admin
Really? In high school, did you really know any better? Or did you hit the Access scalability wall in your school projects?
If so, then salut.
Admin
I'm going to guess it's some form of SQL injection.
Admin
Doesn't access scale to 10 connections at most?
Admin
It was probably easier for Accenture to pirate Access licenses.
http://attrition.org/errata/sec-co/foundstone-02.html
Yes I am still bitter all these years later.
Admin
well Access is just horribly inefficient with queries, the other saleability problem is that once you do queries on records that have thousands of rows it takes bloody long to complete, even if you are just doing a simple look up on a Primary Key.
Admin
ASP isn't case sensitive so you could write it both ways in the same block of code and they'd both refer to the same variable.
Admin
To top it all off, if this particular SQL injection works as described, it also means that the passwords are stored in plain-text.