- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
It is absolutely IT's job to make technical decisions. That IT guy, Steve, reviewed the third party ASP code and found it be insecure.
Why would HR prefer a third party insecure application to an in-house one? Sooner or later someone will break in and get those employee salaries.
The third party wrote their ASP application without every seeing the data. So, Steve's team could also develop one based on some 1,000 fake employees in a SQL database.
In any case, the HR website programming team never has to see the real employee data. Much software is developed using sample data before any real data exists. So, data security is not an issue.
Admin
It's a sql injection attack. http://en.wikipedia.org/wiki/SQL_injection
Admin
Hey, has anybody explained what an SQL injection attack is yet?? If not, please see http://en.wikipedia.org/wiki/Sql_injection_attack and http://xkcd.com/327/
Thanks!
CAPTCHA: Littlebobbytables.
Admin
Admin
WHOOOOOOOOOSH!
Admin
This is known as an SQL injection attack, and it's stupidly easy to defeat - simply make sure all special characters are escaped. Most scripting languages already have a built-in function for this, but for those that don't, it's trivial to write one.
Admin
Late to the party and forgetting that proper storage of the passwords (encrypted or hashed) and/or proper usage of the database (stored procedure) would be better solutions.
Admin
Nope, 'Yer doin it wrong.'
It is ' OR ''=' (as seen in code)
The first apos. closes the first one in code, the one that still tries to close the first one after the password is concatenated will close the last one in the password text forming:
... password = '' or ''='' ...
Admin
edit should have put some spaces in there..
' OR '-'= '-
roughly equals
' OR ''='
Admin
Admin
It'll be true only if there're brackets like that: "...where username = '...' and (password = '' or 1 = 1)"
It's MAGIC!
Admin
so here's the bit's I get
But I'm not sure i understand what the issue is with using the session object to cache user info? Isn't that what the session object is for?
Admin
In general, the answer to this is one of two choices, depending on the programming language. If the code is written in anything but Perl[1], the reason is, "it wasn't written in Perl." If the code is written in Perl, the reason is, "it's a huge pain for the vast majority of programmers out there to successfully write an application that can work even with taint checking turned on - so they don't use taint."
Also keep in mind, even if the code is written in Perl, and taint checking is turned on, there are a few ways one can use a tainted variable which is dangerous, but perl doesn't catch it, because to do otherwise would be so painful to both the perl maintainers and the people who use it that even fewer people would use it. For example, perl does not complain about using tainted arguments to system or exec[2].
[1] I strongly suspect there's other languages which perform this kind of data source tracking, but I haven't heard of any.
[2] It does complain about certain tainted environment variables (but not all). It also complains about single tainted arguments. However, if you're using the list versions of the builtins, it simply trusts that you know what you're doing.
Admin
And now we know what caused all of said major accounting scandals! Poorly-written Access "applications"
Admin
My predecessor did similar with the Remote Scripting (poor man's IE-only Ajax) used in one of the most buggy, poorly written cesspits of code I have ever seen; naturally it's the core of our business. He simply copied and pasted a tutorial on how to use remote scripting, and hacked around with the method code. He did not even bother to change the name of the method; the code does a product lookup and the method is named "getPeople" as it was in the tutorial.
Admin
The question is, how do you verify that the user is using the right session object? What is to stop the users from making changes to their session cookies in an attempt to gain the access of another active user? Most web developers I've encountered who use session cookies simply bank on the difficulty to change cookies (which is trivial) or the space between different active session cookies - and even web developers who personally use software similar to Firebug and have chosen sequential session cookies do this.
I haven't seen the authoritative word on this, but I've seen a number of sites use a handful of cookies - for example, session id, username, and checksum/hash, and also use the person's IP address as an additional check. I've heard from some people that the best practice is to do that, but include the password in the hash calculation. I'm planning on checking into the actual best practice sometime before I develop an Internet accessible web page with logins.
Admin
Admin
LOL :)
Programming is much easier than doing research.
Admin
Admin
It's fine for small workgroups, too, not just single users. Of course, you have to be a competent programmer to create a multi-user Access app (using a Jet back end, of course, since Access wasn't involved in this WTF web app, only a Jet data store) that can be run by 25 or 30 people simultaneously.
Access can not be used for a web app. You can certainly use a Jet MDB as the back end for a website (not that it's advisable), but you certainly can't use Access. Access is an application development platform, for creating front ends to databases, and it won't be involved in any website whatsoever.
Of course, the Access bigots always choose to elide the difference between Access and Jet, because it serves their purpose to ignore the fact Access is the best RAD database front-end development tool in existence, while Jet is merely a versatile file-based desktop database engine that doesn't scale well beyond a few dozen users without very careful application programming. It's the misuse of Jet in situations where it's not appropriate that gives Access its bad reputation among the Access bigots.
But all they are showing when they badmouth Access is their complete ignorance of the product as a whole.
-- David W. Fenton David Fenton Associates http://dfenton.com/DFA/
Admin
No. Access can support thousands of users simultaneously, if the back end it's being used with supports that number of simultaneous users.
Oh, you mean Jet? Or maybe you don't know the difference? Jet has a theoretical limit of 255 users on any MDB file, but the practical limit for anything other than read-only users is going to be substantially lower than that. This makes it a perfectly suitable data store for a very large portion of the universe of small workgroup apps.
-- David W. Fenton David Fenton Associates http://dfenton.com/DFA/
Admin
Er, what? This is a ridiculous statement. I've had Access apps with a Jet MDB back end with hundreds of thousands of records in several related tables, and data retrieval was on the order of less than 1 second. The tables were properly indexed, of course, so Access/Jet could be efficient.
Perhaps you don't know about indexes?
This is JUST WRONG except in the case of a badly designed schema with insufficient indexing, or simply bad SQL.
Neither of your statements contains even the slightest bit of truth.
Of course it's certainly possible to have problems like this if you don't know what you're doing, I guess.
-- David W. Fenton David Fenton Associates http://dfenton.com/DFA/
Admin
Seems like the CTO does not know the consequence of having a bad software deployed LOL. What a CTO (Cock Talking Officer? LOL)!
Admin
Of course, this would mean that the injection would also work in Oracle.
Without the helpful additional spaces the original injection would NOT work in Orable because in Orable '' is replaced with NULL, and NULL != NULL.
Just one of the many reasons why Access is better than Oracle.
(Did I hear the troll siren going off a while back?)
Admin
I'm no security expert but I believe it's called SQL injection :)
Admin
No, what they're doing is reacting to the common case usage of access - some app written by a random guy in the office that's grown organically over years. Of course people react badly to something like that, and without clarifying statements, 'using access on the backend' is reasonably interpreted as using the Jet DB backend for some DB task. Sorry if we didn't use precise terminology.
1 second access time on a 100,000 rows with an index is godawful. i'd expect about 100ms response time for a decent table setup. And if you read the whole comment, he already had indexes on the table.
Admin
Admin
And that, kids, is why god invented hashing. (well amongst other reasons).
Admin
hashedpassword = hash_function(plaintextpassword) OR '' = '' is still always true.
Admin
Well, select * from user_table where user_name = 'xxx' and password = 'yyy' or '' = '' will retrieve all the rows in useer_table.
Admin
You did. I raised it, although the alleged troll pleaded not guilty.
Admin
even better to use one that supports placeholders in SQL statements...
Admin
"Could someone explain why typing ' OR ''=' in the password field would give him access to anything? I don't see the magic happening there. :/"
"Because the code that called the SQL they were using was probably along the lines of ...WHERE...AND [Password] = '" + string_user_entered + "'
Which when inputed with ' OR ''=' results in the following SQL ...WHERE...AND [Password] = '' OR ''='' "
..but doesn't the article suggest that they're using Access rather than SQL?
Admin
You joke, but see the following: SELECT 1 FROM users WHERE username = '%s' AND passhash = MD5('%s') with a username of "admin" and a password of "abc') OR ('0')=('0" (sans double quotes) (clue: it resolves to: SELECT 1 FROM users WHERE username = 'admin' AND passhash = MD5('abc') OR ('0')=('0'))
Admin
Well you've certainly never worked for Accenture
Admin
Admin
Admin
Admin
See more WTF: http://dfenton.com/DFA/about.htm
Admin
Admin
Admin
Lies! I always included Access in my technical designs while at Accenture. That way there was always an ongoing project to improve the stability of the application ;) Management love that sort of stuff!
Admin
Umm, how would encrypting the password prevent SQL injection?
select userid from userlist where userid='myuserid' and password=encrypt('mypassword') or 1=1
would still let me in, no matter how unbreakable the encryptian algorithm is. It's irrelevant.
Admin
Hey, I don't know David Fenton from Danny Fenton [obscure allusion to a cartoon for those of you who don't have kids], but what exactly is wrong with his web site? Okay, aside from the annoying fact that he puts all the text in a narrow column, thus not using about half the screen and so wasting valuable screen real estate, and the rather cloying third-person description of himself on the About page. It is easy to navigate, and it contains the information that someone who might want to hire him would be likely to want to know.
I've seen plenty of web sites that are filled with annoying animations and other fancy graphics that take forever to load and just waste my time. I like a site that's simple, clean, and to the point.
Admin
I don't really understand how these situations occur, so I'm asking a serious question.
In this scenario: 1: the software is buggy and insecure, in a way that can be recognised by almost anyone with relevant experience; 2: the IT department duly recommended against it - in writing... 3: someone with more authority than experience ordered it to be deployed anyway...
Let's assume the app is compromised, and the result is one or more of: a: identity theft occurs b: employees are not paid that month c: cash is transferred from a company bank account d: some other event involving losses
If and when that happens - isn't the person who ordered the deployment going to be held personally responsible ?
There is a paper-trail, after all.
If there isn't a specific individual accountable, then surely it becomes the collective responsibility of the board of directors ?
And even if employees prefer to keep their head down and not make waves, what about the external investors ? Over-ruling expert advice to deploy a faulty system seems to run contrary to all notions of "best practise" and valid grounds for external investors to sue.
Also, the fact that this scenario involves a system storing information that identifies specific individuals would make this - in various nations - a matter of criminal law, surely ?
So, the serious question I'm asking is: Is the general problem here that: employees and/or shareholders know what is going on but if they talk, the fall-out will affect the company in general and although the guilty or incompetent would be dealt with, the innocent would likely also be out of a job, so they just shrug their shoulders and generally keep quiet...
In other words - there are checks and balances in the system, but no-one is actually invoking them ?
Admin
There are no checks and balances because the person with the authority is inundated from any repercussions due to seniority. Even if the IT department could show in writing that "Mr. Smith, CTO" approved the software despite the IT department's recommendations against it, "Mr. Smith" is senior management and can't be punished, someone else will take the fall for him.
Admin
"HASH('" & password & "') = PWHASH" (the more natural way of typing it
X') = 'X' OR 1 = 1 OR ('X
HASH('X') = 'X' OR 1 = 1 OR ('X') = PWHASH
or use "PWHASH = HASH('" & password & "')" X') OR 'X' = ('X PWHASH = HASH('X') OR 'X' = ('X')
(of course, they should be doing the hash before they build the sql string - but how likely is that?)
Admin
“you’re telling me that Accenture [pass over] Oracle and SQL Server, and ... deploy ... [with] Microsoft Access?”
“Yep ... they certainly do!”
That explains a lot. I'm going for a lunch.
Admin
Good ol' SQL injection...
Admin
This is known as "SQL Injection".