12 Replies - 1122 Views - Last Post: 27 April 2008 - 07:13 AM

#1 PsychoCoder  Icon User is offline

  • Google.Sucks.Init(true);
  • member icon

Reputation: 1641
  • View blog
  • Posts: 19,853
  • Joined: 26-July 07

Sad state of affairs...

Posted 26 April 2008 - 08:14 AM

This morning, simply because I was bored, I did a search on Google, using a certain query (I will not post it here as we will have every script kiddie/wannabe hacker doing it) to see how many sites out there are still putting their SQL queries in the querystring. Google returned 48,700 results, thats 48,700 chances to ruin someone's site, and the majority of them ended in .gov. Yes government sites that make SQL Injection even more simple to accomplish. Who do they contract to do their web development? I thought that more developers realized that this is probably one of the worst ideas when it comes to creating a site.

Please tell me that none of our members here are insane enough to develop and deploy sites in this manner. It's sad that our government would allow such security holes to be deployed, to be used in releasing their information to the general public. I don't know about you, but that goes a long way in removing any respect I have for our government (this is not a political discussion so please don't turn it into one).

This is one that it turned up, site name removed to protect the stupid


Quote

http://<removed>.gov/services/agreements.asp?p=20&ps=&q=SELECT+B.applicant_name%2C+B.trade_name%2C+B.bus_address_f_no
%2C+B.bus_street%2C+B.bus_quad%2C+A.id%2C+A.entity%2C+A.patrol_service_area%2C+A.expiration_status%2C+A.expiration_date
%2C+A.investigator%2C+A.pdf%2C+A.url+FROM+abra_rw.tblLicense_hold+AS+B%2C+abra_rw.agreements+AS+A+WHERE+B.id+%3D
+A.business_id+AND+applicant_name+LIKE+'%25%25'+ORDER+by+B.applicant_name%3B


Do they not realize how easy it would be to wipe all this data out?

Is This A Good Question/Topic? 0
  • +

Replies To: Sad state of affairs...

#2 Nykc  Icon User is offline

  • Gentleman of Leisure
  • member icon

Reputation: 728
  • View blog
  • Posts: 8,642
  • Joined: 14-September 07

Re: Sad state of affairs...

Posted 26 April 2008 - 08:39 AM

Hey Psycho you should email them and let them know how stupid they are. You might get a medal.

You know tell them how to fix their flaw. It could be a minor contribution to making the internet a safer place.

This post has been edited by Nykc: 26 April 2008 - 08:41 AM

Was This Post Helpful? 0
  • +
  • -

#3 girasquid  Icon User is offline

  • Barbarbar
  • member icon

Reputation: 108
  • View blog
  • Posts: 1,825
  • Joined: 03-October 06

Re: Sad state of affairs...

Posted 26 April 2008 - 10:13 AM

I think this showed up on dailywtf not too long ago, with a sex offender registry.

This post has been edited by girasquid: 26 April 2008 - 10:13 AM

Was This Post Helpful? 0
  • +
  • -

#4 Martyr2  Icon User is offline

  • Programming Theoretician
  • member icon

Reputation: 4333
  • View blog
  • Posts: 12,128
  • Joined: 18-April 07

Re: Sad state of affairs...

Posted 26 April 2008 - 10:30 AM

Quote

Yes government sites that make SQL Injection even more simple to accomplish. Who do they contract to do their web development?


Shhhhhh.... They are hiring people like Skyhawk and sloth.
Was This Post Helpful? 0
  • +
  • -

#5 PsychoCoder  Icon User is offline

  • Google.Sucks.Init(true);
  • member icon

Reputation: 1641
  • View blog
  • Posts: 19,853
  • Joined: 26-July 07

Re: Sad state of affairs...

Posted 26 April 2008 - 11:57 AM

View Postgirasquid, on 26 Apr, 2008 - 10:13 AM, said:

I think this showed up on dailywtf not too long ago, with a sex offender registry.


That is just one instance of this stupidity, I remember reading that as well.
Was This Post Helpful? 0
  • +
  • -

#6 supersloth  Icon User is offline

  • serial frotteur - RUDEST MEMBER ON D.I.C.
  • member icon


Reputation: 4503
  • View blog
  • Posts: 28,410
  • Joined: 21-March 01

Re: Sad state of affairs...

Posted 26 April 2008 - 02:12 PM

View PostMartyr2, on 26 Apr, 2008 - 11:30 AM, said:

Quote

Yes government sites that make SQL Injection even more simple to accomplish. Who do they contract to do their web development?


Shhhhhh.... They are hiring people like Skyhawk and sloth.

we don't do that :)
Was This Post Helpful? 0
  • +
  • -

#7 Martyr2  Icon User is offline

  • Programming Theoretician
  • member icon

Reputation: 4333
  • View blog
  • Posts: 12,128
  • Joined: 18-April 07

Re: Sad state of affairs...

Posted 26 April 2008 - 03:27 PM

Of course not, you are top of the top... but I just didn't want him to bash government contracted web developers. Who knows what he would have said and then retaliation. Make DIC bust out in a civil war or something.

Because you know, then I would be forced to take a side or something, put on some military uniform, drafted into a game of COD4 or something. It would just get all ugly and messy.

:D
Was This Post Helpful? 0
  • +
  • -

#8 girasquid  Icon User is offline

  • Barbarbar
  • member icon

Reputation: 108
  • View blog
  • Posts: 1,825
  • Joined: 03-October 06

Re: Sad state of affairs...

Posted 26 April 2008 - 03:31 PM

Aren't you from Canada? All we'd do in the case of a war is apologize.
Was This Post Helpful? 0
  • +
  • -

#9 Martyr2  Icon User is offline

  • Programming Theoretician
  • member icon

Reputation: 4333
  • View blog
  • Posts: 12,128
  • Joined: 18-April 07

Re: Sad state of affairs...

Posted 26 April 2008 - 03:53 PM

I am talking about a DIC civil war. Which you know would be global. A virtual war.

As for real life, yeah we would apologize because lets face it, our canoe against the US fleet or our wooden plane is not going to take our their squadron of fighters. They throw bombs, we throw rocks or hockey pucks. Whichever we have more of.

:D
Was This Post Helpful? 0
  • +
  • -

#10 RodgerB  Icon User is offline

  • D.I.C Lover
  • member icon

Reputation: 66
  • View blog
  • Posts: 2,284
  • Joined: 21-September 07

Re: Sad state of affairs...

Posted 26 April 2008 - 05:16 PM

@PsychoCoder: I found the full address for the one you censored... what the hell were they thinking?
Was This Post Helpful? 0
  • +
  • -

#11 KYA  Icon User is offline

  • g++ jameson.cpp -o beverage
  • member icon

Reputation: 3101
  • View blog
  • Posts: 19,141
  • Joined: 14-September 07

Re: Sad state of affairs...

Posted 26 April 2008 - 11:43 PM

View Postgirasquid, on 26 Apr, 2008 - 04:31 PM, said:

Aren't you from Canada? All we'd do in the case of a war is apologize.


Quality.

On topic: Wow. I can't fully appreciate your findings since I don't fully understand the working of SQL, but you would think that the contracted people would know better.
Was This Post Helpful? 0
  • +
  • -

#12 no2pencil  Icon User is online

  • Toubabo Koomi
  • member icon

Reputation: 5303
  • View blog
  • Posts: 27,193
  • Joined: 10-May 07

Re: Sad state of affairs...

Posted 26 April 2008 - 11:53 PM

ROFL... I don't even have anything smart ass'ed to say. I'm dumbfounded.

The 1st time I learned about the evils (& power if missused) of the Unix eval command in a CGI-BIN script was from .gov sites being overthrown. This is where the shadow file came into play. But still, it was as simply as requesting for information from the URL.
Was This Post Helpful? 0
  • +
  • -

#13 JasonMcAuley  Icon User is offline

  • D.I.C Head

Reputation: 3
  • View blog
  • Posts: 144
  • Joined: 10-April 08

Re: Sad state of affairs...

Posted 27 April 2008 - 07:13 AM

Thats pretty brutal. Its not even hard to work around that >.>
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1