Replies

To: Lazamataz

Just from that I can deduce without any tools that there are severe Sql Injection issues, probably XML injection and cross-site scripting vulnerabilities too.

And that is just on a visual inspection. An hacker with the simplest of tools (Burp, Web Scarab, paros, etc.) could find myriad infiltration pathways in a matter of minutes.

24 posted on 11/19/2013 12:12:20 PM PST by commish (The takers rule. Time to implement the triple G plan - GOD, GUNS, & GOLD)

[ Post Reply | Private Reply | To 8 | View Replies ]

To: commish

Wow! You’re not kiddin.

Don’t go near it.

32 posted on 11/19/2013 12:46:01 PM PST by Ray76

[ Post Reply | Private Reply | To 24 | View Replies ]

To: commish

Just from that I can deduce without any tools that there are severe Sql Injection issues, probably XML injection and cross-site scripting vulnerabilities too.

Southack tells me they are now scrubbing input.

Too late, of course.

But I can only believe they are reading our -- and many other -- tech forums, and learning from our horrified comments.

I'm billin' the bastards. They never would have known about SQL inject until I showed them the vulnerability.

41 posted on 11/19/2013 1:05:42 PM PST by Lazamataz (Early 2009 to 7/21/2013 - RIP my little girl Cathy. You were the best cat ever. You will be missed.)

[ Post Reply | Private Reply | To 24 | View Replies ]

To: commish

I mean DAMN guys, don’t you at LEAST do character-limiting to A-Z and 0-9? Not that that would help, anyone can inject something on the raw HTTP response before it sends out. But I mean, just to show the hackers you are AWARE of some EXTREMELY basic security????!?!?

43 posted on 11/19/2013 1:07:37 PM PST by Lazamataz (Early 2009 to 7/21/2013 - RIP my little girl Cathy. You were the best cat ever. You will be missed.)

[ Post Reply | Private Reply | To 24 | View Replies ]

Free Republic
Browse · Search

News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794