Sean Lange (9/17/2014)
WayneS (9/17/2014)
Sean Lange (9/17/2014)
ROFLMAO!!!! I just got a dev ticket to look into a website that was written and deployed about 3 years before I got here. The ONLY page on the entire site that does anything more than deliver static content is a page with a form that allows the user to upload a file. I was told this is really important because the last submission received was in 2010. Obviously mission critical functionality here. Add to that it is written in classic asp. I opened the thing for the first time ever today and it is wide open the sql injection, javascript injection and probably more. There is only 1 way to fix this, take it out to the pasture and shoot it. 😛Is this a public facing website? Care to send me a link? 😉
Not really. 😛 Not wanting to turn something that I can easily blow off for at least 4 years into something I have to fix immediately. It is public facing and truly horrible. It just takes the text boxes and build a pass through query blindly. Not even an attempt made to protect anything. Add to that the ability to upload files with no checking on file type or anything at all. The URL alone is enough to gain access to the network and I am not handing out that key. YUCK!!!
Please????? (I have this neat SQL Injection demo that I do... it would be neat to incorporate this into it and show a real world hack!) :cool::w00t:
Wayne
Microsoft Certified Master: SQL Server 2008
Author - SQL Server T-SQL Recipes