Classic WTF: Injection Proof'd
by in CodeSOD on 2016-11-24“When a ‘customer’ of ours needs custom-developed software to suit their business requirements,” Kelly Adams writes, “they can either ‘buy’ the development services from the IT department, or go to an outside vendor. In the latter case, then we’re supposed to approve that the software meets corporate security guidelines.”
“Most of the time, our ‘approval’ is treated as a recommendation, and we end up having to install the application anyway. But recently, they actually listened to us and told the vendor to fix the ‘blatant SQL-injection vulnerabilities’ that we discovered. A few weeks later, when it came time for our second review, we noticed the following as their ‘fix’.”