Home Forums SQLServerCentral.com Anything that is NOT about SQL! Are the posted questions getting worse? RE: Are the posted questions getting worse?

  • September 18, 2014 at 7:38 am

    #1746397

    Ed Wagner (9/18/2014)

    Sean Lange (9/18/2014)

    Ed Wagner (9/18/2014)

    Sean Lange (9/17/2014)

    WayneS (9/17/2014)

    Sean Lange (9/17/2014)

    ROFLMAO!!!! I just got a dev ticket to look into a website that was written and deployed about 3 years before I got here. The ONLY page on the entire site that does anything more than deliver static content is a page with a form that allows the user to upload a file. I was told this is really important because the last submission received was in 2010. Obviously mission critical functionality here. Add to that it is written in classic asp. I opened the thing for the first time ever today and it is wide open the sql injection, javascript injection and probably more. There is only 1 way to fix this, take it out to the pasture and shoot it. 😛

    Is this a public facing website? Care to send me a link? 😉

    Not really. 😛 Not wanting to turn something that I can easily blow off for at least 4 years into something I have to fix immediately. It is public facing and truly horrible. It just takes the text boxes and build a pass through query blindly. Not even an attempt made to protect anything. Add to that the ability to upload files with no checking on file type or anything at all. The URL alone is enough to gain access to the network and I am not handing out that key. YUCK!!!

    As long as it doesn't check file type, does it also open the file and do something with it? Or is it boring and just save it to disk and let someone else open it to do the damage read the data?

    Thankfully it just saves it disc until somebody else comes along and opens it. Of course it hasn't worked in 4 years so the threat is rather low.

    Good point. I saw the lack of file type validation and felt a low-level panic starting. If the server accepts a file of any type and then tries to open it, a .exe, .com, .bat or .cmd could cause some major damage to the server itself. Heck, even the old .pif might still be supported. Just another level of danger induced by the lack of validation.

    On another front, since the obviously mission-critical process it hasn't worked for 4 years, I would be forced to question whether it was really needed at all.

    I told them I would fix it as quickly as they reported the problem. They chuckled until I opened outlook and added a calendar item in 2018 and invited them to it so we can discuss the requirements of a rewrite. 😀

    _______________________________________________________________

    Need help? Help us help you.

    Read the article at http://www.sqlservercentral.com/articles/Best+Practices/61537/ for best practices on asking questions.

    Need to split a string? Try Jeff Modens splitter http://www.sqlservercentral.com/articles/Tally+Table/72993/.

    Cross Tabs and Pivots, Part 1 – Converting Rows to Columns - http://www.sqlservercentral.com/articles/T-SQL/63681/
    Cross Tabs and Pivots, Part 2 - Dynamic Cross Tabs - http://www.sqlservercentral.com/articles/Crosstab/65048/
    Understanding and Using APPLY (Part 1) - http://www.sqlservercentral.com/articles/APPLY/69953/
    Understanding and Using APPLY (Part 2) - http://www.sqlservercentral.com/articles/APPLY/69954/