OMG Injection attack
-
Injection attack waiting to happed -- need I say more?
http://philip.greenspun.com/doc/sql/display-sql?url=
-
>.<
Meant "happen"
-
That's bad. But do you know what's badder? That he is "... teaching 6.171, Software Engineering for Internet Applications,
this semester at MIT."
Yes, you've read it properly. He is teaching MIT students. Not just programming, noooo, he teaches them software engineering. And not SE for your average back-office app, nooooo, it's for Internet Applications. I seriously hope his own page would disqualify him for his own course...
-
You guys realize that this is just a plain CGI to show files, not a dynamic SQL query thingy?
For example
will just show an sql document that you could have seen by just visiting
http://philip.greenspun.com/doc/sql/
and selecting the oney
-
@Unbekannt said:
You guys realize that this is just a plain CGI to show files, not a dynamic SQL query thingy?
For example
will just show an sql document that you could have seen by just visiting
http://philip.greenspun.com/doc/sql/
and selecting the oney
Ok, I am too stupid to use this web editor properly. :(
Anyway, that is probably just a plain CGI to send the correct MIME headers for in browser display. Where's the WTF?
PS: How can I preview my post??? And why can't I just have a normal text field???
-
Yes, this is just a TCL script.
What is wrong?
-
checks for going above the pageroot, so unless he has something he doesn't want anyone seeing in the few tcl scripts in his site, there doesn't seem to be a problem...
-
From the script:
# enables user to see a .sql file without encountering the
# AOLserver's db module magic (offering to load the SQL into a database)
Auto SQL loading? Cool feature! ;)
Anyway, we are just about 7 years late:
#
# patched by philg at Jeff Banks's request on 12/5/99
# to close the security hole whereby a client adds extra form
# vars
-
Yeah, not a WTF. There's no risk here that I can see. It just pushes MIME types. It could be a WTF if it was exposing files that should be hidden, but it's not allowing access above the pageroot, and I'm guessing there are no sensitive pages on the website. I am confused about the "this is normally a password-protected page" comment. Looks like there might be something wrong there . . .
Interestingly, if I go to "http://philip.greenspun.com/doc/sql/display-sql?url=/" (or give it any other directory), it churns for quite a while before I get a blank page back. I'm curious if it's going crazy on the server (looping or some such), or if it's just dropped me and neglecting to close the connection. If the script is hammering on the server when it gets invalid input, then it is a WTF.