| Author |
Topic |
|
graz
Chief SQLTeam Crack Dealer
4149 Posts |
 Posted - 2002-11-06 : 12:46:13
|
| A thread to continue the discussion started here (http://www.sqlteam.com/Forums/topic.asp?TOPIC_ID=21048).That discussion is related to an article and I'd like to keep that thread related to the article. Anything else can be covered here.===============================================Creating tomorrow's legacy systems today.One crisis at a time. |
|
|
graz
Chief SQLTeam Crack Dealer
4149 Posts |
Posted - 2002-11-06 : 13:04:08
|
| jimmers,Yes, you did send me an email. However Snitz didn't post anything about the bug that I could find for more than three weeks after the email. When the security fix came out I applied it. By then I'd completely forgotten your email.I get all kinds of emails saying all kinds of things about the site. Many that I've followed up on either try to sell me something or add me to a spam list. Thus I've become very carefull what I reply to. I should have recalled your message and thanked you however. My apologies for that. And thank you for trying to notify me about a security hole in the site. Shame on me for not following up.As for your previous post that contained a security hole. I've struggled back and forth on that issue and don't have an answer I'm happy with. On one hand I'm not happy to publicize a hole without a fix. On the other hand, more information is usually better than no information. So far I've taken the approach to limit detailed information on how to attack SQL Server if there's no patch available. I'll be happy to describe the weakness but I don't like posting code that exploits it unless there's a fix. I may change that opinion in the future. Actually I'll probably run some type of poll and see what people think.===============================================Creating tomorrow's legacy systems today.One crisis at a time. |
 |
|
|
jimmers
Starting Member
12 Posts |
Posted - 2002-11-06 : 13:04:38
|
Specifically for demonstration of fact how lazy are people that support this site and what attention they pay to security I'd like to describe another error that makes possible access to underlying database.Please navigate to main page and look at "Poll" feature. It usesINPUTs named ChoiceI with integer values. If you save html and modify it so value will contain apostrophe sign (') and submit,then SQL Server will return an error:quote:
Line 1: Incorrect syntax near '50, @UserName = ', @IPAddress = '.
I have an opportunity to crack this site entirely using buffer overflow in SQL Server system command but I'm not interested in.Anyway, you (reader) can decide who is right, who is wrong...Thanks |
|
|
|
nr
SQLTeam MVY
12543 Posts |
Posted - 2002-11-06 : 13:09:50
|
| Is not validating the path or allowing OS commands to be called via this a problem?It's backing up all databases - I would expect anyone who can call it to be able to execute OS commands too.Validating path - it's a dev system backup procedure - validatet the path by runing it and see if it works.Could put a lot of extra things in it but it's meant to be small and easy to change. It takes about half an hour to write and that's it's main use.I would advise people not to run the code but to write their own if they think it's useful - it's quicker than writing backups for individual databases and you can add any other code you wish - like copying the backups to another server, restoring them and running dbcc checks on it - hey that's a standby system, warm standby if you include tr logs, all for very little work.==========================================Cursors are useful if you don't know sql.DTS can be used in a similar way.Beer is not cold and it isn't fizzy. |
|
|
|
jimmers
Starting Member
12 Posts |
Posted - 2002-11-06 : 13:24:19
|
| Dear nr,You know that SQL Server has fixed databse role named "db_backupoperator".Membership in this role doesn't give user permission to run OS commands. This isan answer to the first part of your message.I agree with you that users may and should modify given code to make sure it feets their needs. But it is well-known that a lot of people will plug this code as is and forget to setup proper permissions, thus making another hole.ByeEdited by - jimmers on 11/06/2002 13:25:47 |
|
|
|
M.E.
Aged Yak Warrior
539 Posts |
Posted - 2002-11-06 : 13:30:26
|
quote:
I have an opportunity to crack this site entirely using buffer overflow in SQL Server system command but I'm not interested in. Anyway, you (reader) can decide who is right, who is wrong...
One thing I'm curious about... but if someone is providing a site that hosts sql help for anybody (the people on here that do post are only posting cause they're trying to help and no other reason. NR's article here is a helpful little piece... atleast for me). Why would anyone wanna 'crack' the site quote:
Specifically for demonstration of fact how lazy are people that support this site and what attention they pay to security
Perhaps they aren't worried about the security of the site as much as they are interested in provding scripts and help for all who come to the site. Look up how many helpful articles graz and other moderators have written. I'd much prefer Graz wrote another article or 2 rather then fix a hole like this.I'm just curious who would take the time to go through and save all the html and look for holes in a site like this? Really, how much 'secure' information do you think this site contains?-----------------------SQL isn't just a hobby, It's an addiction |
|
|
|
jimmers
Starting Member
12 Posts |
Posted - 2002-11-06 : 15:13:32
|
| 2M.E.I’ve simply put above note as confirmation of fact that any T-SQL coder or DBA can and must fix errors that still exist on this site. It is not required to wait for patchif you know a minimum about sql.Hm... I don't know what sort of information this site contains. But if people will blindly borrow code samples like this backup script, it will be very easy to readinformation stored in their databases. Maybe this will be your credit card info,maybe this will be your medical records... Who knows?I wonder why instead of thanks for reporting weakness and releasing instant fix,those people accuse me. It makes me sad. I can stop such postings but everyone willloose because most of readers won't notice such subtle issues and will have hiddenerrors introduced into their systems.Professional always acknowledges his errors. I see that here it is impossible to say"I'm wrong, sorry". Endless discussion will continue, manipulating phrases like "security is not important when helping to solve sql problems".Bye |
|
|
|
M.E.
Aged Yak Warrior
539 Posts |
Posted - 2002-11-06 : 15:38:55
|
| jimmers, I was only reffering to your comment about being able to 'crak' the sql team website. Your point about NR's code is well made and brought a new issue into discussion. Please continue pointing out things such as that as it helps us people using the site to learn to address all issues such as security. I just felt that bringing up your ability to 'crack' the SQLteam website and calling the moderators who take the time to write these articles as lazy was inappropriate.-----------------------SQL isn't just a hobby, It's an addiction |
|
|
|
nr
SQLTeam MVY
12543 Posts |
Posted - 2002-11-06 : 18:14:53
|
| I wouldn't let anyone who wasn't trusted on the server anywhere near SPs like this.Also wouldn't give manual backup only access to anyone. Suspect db_backupoperator is for third party tools - which I never use, backups are too important.==========================================Cursors are useful if you don't know sql.DTS can be used in a similar way.Beer is not cold and it isn't fizzy. |
|
|
|
Tim
Starting Member
392 Posts |
Posted - 2002-11-06 : 18:48:20
|
| In terms of who would want to crack the site, you'd be surprised.I run an even more inoccuous site than this one (for real tennis) and there are crackpots trying to hack me because they consider the sport to be elitist.----Nancy Davolio: Best looking chick at Northwind 1992-2000 |
|
|
|
sanjivus
Starting Member
16 Posts |
Posted - 2005-05-06 : 17:52:54
|
| Did anybody fixed the security hole...?? |
|
|
|
Merkin
Funky Drop Bear Fearing SQL Dude!
4970 Posts |
Posted - 2005-05-07 : 05:50:09
|
| You signed up an account for this ? A 3 year old flamefest ?DamianIta erat quando hic adveni. |
|
|
|
|
Continuation of an article discussion...