SQL Server Forums
Profile | Register | Active Topics | Members | Search | Forum FAQ
 
Register Now and get your question answered!
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 Site Related Forums
 The Yak Corral
 Continuation of an article discussion...
 New Topic  Reply to Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

graz
Chief SQLTeam Crack Dealer

USA
4138 Posts

Posted - 11/06/2002 :  12:46:13  Show Profile  Visit graz's Homepage  Reply with Quote
A thread to continue the discussion started here (http://www.sqlteam.com/Forums/topic.asp?TOPIC_ID=21048).

That discussion is related to an article and I'd like to keep that thread related to the article. Anything else can be covered here.

===============================================
Creating tomorrow's legacy systems today.
One crisis at a time.

graz
Chief SQLTeam Crack Dealer

USA
4138 Posts

Posted - 11/06/2002 :  13:04:08  Show Profile  Visit graz's Homepage  Reply with Quote
jimmers,

Yes, you did send me an email. However Snitz didn't post anything about the bug that I could find for more than three weeks after the email. When the security fix came out I applied it. By then I'd completely forgotten your email.

I get all kinds of emails saying all kinds of things about the site. Many that I've followed up on either try to sell me something or add me to a spam list. Thus I've become very carefull what I reply to. I should have recalled your message and thanked you however. My apologies for that. And thank you for trying to notify me about a security hole in the site. Shame on me for not following up.

As for your previous post that contained a security hole. I've struggled back and forth on that issue and don't have an answer I'm happy with. On one hand I'm not happy to publicize a hole without a fix. On the other hand, more information is usually better than no information. So far I've taken the approach to limit detailed information on how to attack SQL Server if there's no patch available. I'll be happy to describe the weakness but I don't like posting code that exploits it unless there's a fix. I may change that opinion in the future. Actually I'll probably run some type of poll and see what people think.

===============================================
Creating tomorrow's legacy systems today.
One crisis at a time.
Go to Top of Page

jimmers
Starting Member

12 Posts

Posted - 11/06/2002 :  13:04:38  Show Profile  Reply with Quote
Specifically for demonstration of fact how lazy are people that support this site and what attention they pay to security I'd
like to describe another error that makes possible access to underlying database.

Please navigate to main page and look at "Poll" feature. It uses
INPUTs named ChoiceI with integer values. If you save html and
modify it so value will contain apostrophe sign (') and submit,
then SQL Server will return an error:

quote:
Line 1: Incorrect syntax near '50, @UserName = ', @IPAddress = '.


I have an opportunity to crack this site entirely using buffer overflow in SQL Server system command but I'm not interested in.
Anyway, you (reader) can decide who is right, who is wrong...

Thanks




Go to Top of Page

nr
SQLTeam MVY

United Kingdom
12543 Posts

Posted - 11/06/2002 :  13:09:50  Show Profile  Visit nr's Homepage  Reply with Quote
Is not validating the path or allowing OS commands to be called via this a problem?

It's backing up all databases - I would expect anyone who can call it to be able to execute OS commands too.
Validating path - it's a dev system backup procedure - validatet the path by runing it and see if it works.

Could put a lot of extra things in it but it's meant to be small and easy to change. It takes about half an hour to write and that's it's main use.
I would advise people not to run the code but to write their own if they think it's useful - it's quicker than writing backups for individual databases and you can add any other code you wish - like copying the backups to another server, restoring them and running dbcc checks on it - hey that's a standby system, warm standby if you include tr logs, all for very little work.

==========================================
Cursors are useful if you don't know sql.
DTS can be used in a similar way.
Beer is not cold and it isn't fizzy.
Go to Top of Page

jimmers
Starting Member

12 Posts

Posted - 11/06/2002 :  13:24:19  Show Profile  Reply with Quote
Dear nr,

You know that SQL Server has fixed databse role named "db_backupoperator".
Membership in this role doesn't give user permission to run OS commands. This is
an answer to the first part of your message.

I agree with you that users may and should modify given code to make sure it feets their needs. But it is well-known that a lot of people will plug this code as is and forget to setup proper permissions, thus making another hole.

Bye




Edited by - jimmers on 11/06/2002 13:25:47
Go to Top of Page

M.E.
Aged Yak Warrior

Canada
539 Posts

Posted - 11/06/2002 :  13:30:26  Show Profile  Reply with Quote
quote:
I have an opportunity to crack this site entirely using buffer overflow in SQL Server system command but I'm not interested in.
Anyway, you (reader) can decide who is right, who is wrong...


One thing I'm curious about... but if someone is providing a site that hosts sql help for anybody (the people on here that do post are only posting cause they're trying to help and no other reason. NR's article here is a helpful little piece... atleast for me). Why would anyone wanna 'crack' the site

quote:
Specifically for demonstration of fact how lazy are people that support this site and what attention they pay to security

Perhaps they aren't worried about the security of the site as much as they are interested in provding scripts and help for all who come to the site. Look up how many helpful articles graz and other moderators have written. I'd much prefer Graz wrote another article or 2 rather then fix a hole like this.

I'm just curious who would take the time to go through and save all the html and look for holes in a site like this? Really, how much 'secure' information do you think this site contains?

-----------------------
SQL isn't just a hobby, It's an addiction
Go to Top of Page

jimmers
Starting Member

12 Posts

Posted - 11/06/2002 :  15:13:32  Show Profile  Reply with Quote
2M.E.

I’ve simply put above note as confirmation of fact that any T-SQL coder or DBA
can and must fix errors that still exist on this site. It is not required to wait for patch
if you know a minimum about sql.

Hm... I don't know what sort of information this site contains. But if people will
blindly borrow code samples like this backup script, it will be very easy to read
information stored in their databases. Maybe this will be your credit card info,
maybe this will be your medical records... Who knows?

I wonder why instead of thanks for reporting weakness and releasing instant fix,
those people accuse me. It makes me sad. I can stop such postings but everyone will
loose because most of readers won't notice such subtle issues and will have hidden
errors introduced into their systems.

Professional always acknowledges his errors. I see that here it is impossible to say
"I'm wrong, sorry". Endless discussion will continue, manipulating phrases
like "security is not important when helping to solve sql problems".

Bye


Go to Top of Page

M.E.
Aged Yak Warrior

Canada
539 Posts

Posted - 11/06/2002 :  15:38:55  Show Profile  Reply with Quote
jimmers, I was only reffering to your comment about being able to 'crak' the sql team website.

Your point about NR's code is well made and brought a new issue into discussion. Please continue pointing out things such as that as it helps us people using the site to learn to address all issues such as security.

I just felt that bringing up your ability to 'crack' the SQLteam website and calling the moderators who take the time to write these articles as lazy was inappropriate.

-----------------------
SQL isn't just a hobby, It's an addiction
Go to Top of Page

nr
SQLTeam MVY

United Kingdom
12543 Posts

Posted - 11/06/2002 :  18:14:53  Show Profile  Visit nr's Homepage  Reply with Quote
I wouldn't let anyone who wasn't trusted on the server anywhere near SPs like this.
Also wouldn't give manual backup only access to anyone. Suspect db_backupoperator is for third party tools - which I never use, backups are too important.

==========================================
Cursors are useful if you don't know sql.
DTS can be used in a similar way.
Beer is not cold and it isn't fizzy.
Go to Top of Page

Tim
Starting Member

Australia
392 Posts

Posted - 11/06/2002 :  18:48:20  Show Profile  Reply with Quote
In terms of who would want to crack the site, you'd be surprised.

I run an even more inoccuous site than this one (for real tennis) and there are crackpots trying to hack me because they consider the sport to be elitist.


----
Nancy Davolio: Best looking chick at Northwind 1992-2000
Go to Top of Page

sanjivus
Starting Member

16 Posts

Posted - 05/06/2005 :  17:52:54  Show Profile  Reply with Quote
Did anybody fixed the security hole...??
Go to Top of Page

Merkin
Funky Drop Bear Fearing SQL Dude!

Australia
4970 Posts

Posted - 05/07/2005 :  05:50:09  Show Profile  Visit Merkin's Homepage  Reply with Quote
You signed up an account for this ? A 3 year old flamefest ?


Damian
Ita erat quando hic adveni.
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
SQL Server Forums © 2000-2009 SQLTeam Publishing, LLC Go To Top Of Page
This page was generated in 0.1 seconds. Powered By: Snitz Forums 2000