[PsychoCoder]

This morning, simply because I was bored, I did a search on Google, using a certain query (I will not post it here as we will have every script kiddie/wannabe hacker doing it) to see how many sites out there are still putting their SQL queries in the querystring. Google returned 48,700 results, thats 48,700 chances to ruin someone's site, and the majority of them ended in .gov. Yes government sites that make SQL Injection even more simple to accomplish. Who do they contract to do their web development? I thought that more developers realized that this is probably one of the worst ideas when it comes to creating a site.

Please tell me that none of our members here are insane enough to develop and deploy sites in this manner. It's sad that our government would allow such security holes to be deployed, to be used in releasing their information to the general public. I don't know about you, but that goes a long way in removing any respect I have for our government (this is not a political discussion so please don't turn it into one).

This is one that it turned up, site name removed to protect the stupid

Quote

http://<removed>.gov/services/agreements.asp?p=20&ps=&q=SELECT+B.applicant_name%2C+B.trade_name%2C+B.bus_address_f_no
%2C+B.bus_street%2C+B.bus_quad%2C+A.id%2C+A.entity%2C+A.patrol_service_area%2C+A.expiration_status%2C+A.expiration_date
%2C+A.investigator%2C+A.pdf%2C+A.url+FROM+abra_rw.tblLicense_hold+AS+B%2C+abra_rw.agreements+AS+A+WHERE+B.id+%3D
+A.business_id+AND+applicant_name+LIKE+'%25%25'+ORDER+by+B.applicant_name%3B

Do they not realize how easy it would be to wipe all this data out?

[Nykc]

Hey Psycho you should email them and let them know how stupid they are. You might get a medal.

You know tell them how to fix their flaw. It could be a minor contribution to making the internet a safer place.

This post has been edited by Nykc: 26 April 2008 - 08:41 AM

[girasquid]

I think this showed up on dailywtf not too long ago, with a sex offender registry.

This post has been edited by girasquid: 26 April 2008 - 10:13 AM

[Martyr2]

Quote

Yes government sites that make SQL Injection even more simple to accomplish. Who do they contract to do their web development?

Shhhhhh.... They are hiring people like Skyhawk and sloth.

[PsychoCoder]

girasquid, on 26 Apr, 2008 - 10:13 AM, said:

I think this showed up on dailywtf not too long ago, with a sex offender registry.

That is just one instance of this stupidity, I remember reading that as well.

[supersloth]

Martyr2, on 26 Apr, 2008 - 11:30 AM, said:

Quote

Yes government sites that make SQL Injection even more simple to accomplish. Who do they contract to do their web development?

Shhhhhh.... They are hiring people like Skyhawk and sloth.

we don't do that

[Martyr2]

Of course not, you are top of the top... but I just didn't want him to bash government contracted web developers. Who knows what he would have said and then retaliation. Make DIC bust out in a civil war or something.

Because you know, then I would be forced to take a side or something, put on some military uniform, drafted into a game of COD4 or something. It would just get all ugly and messy.

[girasquid]

Aren't you from Canada? All we'd do in the case of a war is apologize.

[Martyr2]

I am talking about a DIC civil war. Which you know would be global. A virtual war.

As for real life, yeah we would apologize because lets face it, our canoe against the US fleet or our wooden plane is not going to take our their squadron of fighters. They throw bombs, we throw rocks or hockey pucks. Whichever we have more of.

[RodgerB]

@PsychoCoder: I found the full address for the one you censored... what the hell were they thinking?

[KYA]

girasquid, on 26 Apr, 2008 - 04:31 PM, said:

Aren't you from Canada? All we'd do in the case of a war is apologize.

Quality.

On topic: Wow. I can't fully appreciate your findings since I don't fully understand the working of SQL, but you would think that the contracted people would know better.

[no2pencil]

ROFL... I don't even have anything smart ass'ed to say. I'm dumbfounded.

The 1st time I learned about the evils (& power if missused) of the Unix eval command in a CGI-BIN script was from .gov sites being overthrown. This is where the shadow file came into play. But still, it was as simply as requesting for information from the URL.

[JasonMcAuley]

Thats pretty brutal. Its not even hard to work around that >.>