Tremulous Forum
Community => Off Topic => Topic started by: zybork on January 27, 2011, 04:18:54 pm
-
As you may have noticed, I recently have written the code for the Tremulous Player Manifest (http://www.sacharja.at/tremulous), and nearly right after the first entry, I checked the databases, and found an entry in the databases submitted by a user (which – no wonder – never has confirmed his signing) with a name with an interesting part in it: “"xor”…
For those who are not familiar with SQL, this database-language submits everything with strings, while values are delimited by quotes, and thus can be compromised if the programmer is a beginner, you can submit almost anything to the database if you just manage to put something in that has a quote inside. Obviously, a few hours after I put the code online, somebody tried to break into the database. (Of course anybody who is not a complete greenhorn will catch this by masking quotes, in the Trem-Manifest, this is done by replacing quotes with their HTML-code, which is, well, "…)
Also, if you happen to run a server, you also may often find strange requests in the logs, this is, something like “cmd.exe”, where somebody tries to pull a fast one to gain control over the server. Those attacks are by the way usually automatted and are performed not be any “criminal servers”, but by computers (or even servers!) taken over by viruses and remotely controlled (tough not actively) by people earning their money with spam, fraud, or other criminal activities.
With other words: There are tons of programs out there with the only purpose to find the one idiot out of a million people who actually will buy “\/|agra” or a fake Rolex…
Bots scanning forums, blogs, social media, normal websites, installed on Zombie computers taken over by viruses. This is (part of) the reality of the internet. And sometimes, when writing a pretty small project like the Manifest, it strikes me again, for there are times I tend to forget all that.
-
Secure it more? Yes, you need to.
(http://s2.ipicture.ru/uploads/20110127/KJhliI43.png)
-
automatted
Automated.
You're welcome.
-
It's always a good idea to be paranoid on the internet.
Trivia: One in 12 million respond to spam: http://www.techradar.com/news/computing/spammers-get-1-response-to-12-500-000-emails-483381?src=rss&attr=all
automatted
Automated.
You're welcome.
It seems like you're trying to be the clippy of the tremulous forums.
Keep in mind that it didn't end very well for clippy.
-
Keep in mind that it didn't end very well for clippy.
(http://www.cracked.com/blog/wp-content/uploads/2009/08/clippydialogue13.jpg)
-
Secure it more? Yes, you need to.
What did you do??? (Databases have not been compromised, but this really should NOT happen.)
-
Secure it more? Yes, you need to.
What did you do??? (Databases have not been compromised, but this really should NOT happen.)
Don't worry, I'm not going to be malicious. I just have a habit of checking the basic security of pretty much any website I wander around.
It responds with that error when you try to form an SQL injection. I strongly advise you to turn off error reporting, or at least shrink the output so it won't reveal so much data.
I didn't have much time to experiment with that, so I'm leaving the further investigation to you. :P
-
automatted
Automated.
You're welcome.
It seems like you're trying to be the clippy of the tremulous forums.
Keep in mind that it didn't end very well for clippy.
I'm honoured. Clippy is my hero. 8)
-
Don't worry, I'm not going to be malicious. I just have a habit of checking the basic security of pretty much any website I wander around.
It responds with that error when you try to form an SQL injection. I strongly advise you to turn off error reporting, or at least shrink the output so it won't reveal so much data.
I didn't have much time to experiment with that, so I'm leaving the further investigation to you. :P
Ah, then it probably was you to blame for that attempt of breaking in that caused me to write that thread in the first place 8) (IP is plausible).
However, yeah, I admit, I simply forgot to escape all the quote-symbols, ' " and ´ – SQL is a bit unnerving concerning that. However, I fixed it and I also took care about the warning-levels. So, thanks, buddy, until the end of the day, you have my eternal gratitude :)
However, your injection-attempt triggered an error instead of being succesful, this at least is reassuring.
-
http://xkcd.com/327/
-
I dunno if you used these but here are a few links. I'd probably use the first two.
MySQL escape (http://php.net/manual/en/function.mysql-real-escape-string.php) - SQL injection
Full HTML escape (http://www.php.net/manual/en/function.htmlentities.php) - protects against HTML/javascript injection only
Partial HTML escape (http://php.net/manual/en/function.htmlspecialchars.php) - protects against HTML/javascript injection only