Opt-out wtf
-
Today I recieved one of those newsletter-ish spam mails, with those little "Click here to get out of the list" links at the bottom. Out of paranoia, I didn't want to click, so I just copied the link and removed the parameters, just to see what would happen:
http://asp.isprit2.de/ff/us_1.php<font size="3"><!-- ErrorCode: 1064</font>
<font size="3"> Description: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
SELECT e.ENTITY_ID,p.PERSON_ID,LOGO_URL FROM ENTITY e, PERSON p, MESSAGE m WHERE e.ENTITY_ID = p.ENTITY_ID AND p.PERSON_ID = m.PERSON_ID AND m.MSG_ID =
--></font>And as if echoing your SQL errors back to your visitor wasn't bad enough, the application also seems to copy the parameters right into the Query string.... kind of scary if you ask me.
-
@halcyon said:
And as if echoing your SQL
<font size="5">T</font>hat's a nice clear error for a developer to see but it shoud be placed in a log file and replaced with a generic error mesage.
errors back to your visitor wasn't bad enough, the application also
seems to copy the parameters right into the Query string.... kind of
scary if you ask me.
-
If it is a spammer, I suppose it would be quite tempting to test their site for protection against sql-injection attacks...
-
Something like
MSG_ID=''; DROP TABLE PERSON;
would be fun :)
-
Except that MySQL doesn't let you do send more than one query in one packet.
-
http://asp.isprit2.de/ff/us_1.php now just reads "sorry! something went wrong :("
maybe they read tdwtf!
-
This is funny in itself, but what's even funnier is that apparently spammers read TDWTF. Should we throw them a welcoming party or something, wheel out goggles full of spam and 'BRILLANT' banners and hats? (hey - those aren't a bad idea - cafepress t-shirts and hats with 'BRILLANT' or 'My eyes! The goggles, they do nothing!' on them).
-
@nickf said:
http://asp.isprit2.de/ff/us_1.php now just reads "sorry! something went wrong :("
maybe they read tdwtf!
View the source of the page. It still has the comment mentioned above.
-
El Foo said:
This is funny in itself, but what's even
funnier is that apparently spammers read TDWTF. Should we throw them a
welcoming party or something, wheel out goggles full of spam and
'BRILLANT' banners and hats? (hey - those aren't a bad idea - cafepress
t-shirts and hats with 'BRILLANT' or 'My eyes! The goggles, they do
nothing!' on them).
---
Try this link