Hmm... not sure if I should post this... public error msg w/ too much info.



  • <link removed> Click on the "Member Directory" link.

    I have no idea how a bug like this could go unnoticed.



  •  Yikes .... not just a username/password, but the sa account.  For those who aren't too familiar with SQL Server, that's basically the "root" account and it can do anything to the entire database server.  In addition, because many SQL service accounts run with high privledges on the server (i.e., domain or local admin) if you have control of the "sa" sql account you generally can take control of and access the entire server and/or network.



  •  Scary.  Especially since the database server is *not* firewalled.  

    .. Maybe someone ought to email the guy before someone gets 'DROP' happy?



  •  preserved for future

     

    <snippet removed by moderator>

    <font size="2" face="Arial">Microsoft OLE DB Provider for SQL Server</font> <font size="2" face="Arial">error '80040e37'</font>

    <font size="2" face="Arial">Invalid object name 'tbl_Directory'.</font>

    <font size="2"><font face="Arial"><snippet removed> </font></font>

    <font size="2"><font face="Arial"></font></font><font size="2" face="Arial">

    </font>

     



  • Uh oh ... they ask for CC info:<link removed by request>

    They *really* need to hope that isn't stored in the database.



  • @kswanton said:

     Scary.  Especially since the database server is *not* firewalled.  

    .. Maybe someone ought to email the guy before someone gets 'DROP' happy?

    yikes! it is exposed.  OK, we need to contact them, seriously.  I hope everyone here will do the right thing and not abuse this info.



  • @Jeff S said:

    yikes! it is exposed.  OK, we need to contact them, seriously.  I hope everyone here will do the right thing and not abuse this info.

    lol .. are you new around here??? The last time an open database was reported people were posting various queries along the lines of "see what I found!!!"
    But yes, I agree that stupidity on that level is beyond a mere WTF and doing the right thing should be done. BTW did you try and contact the DBA???



  •  I emailed them and left a phone message.

    Call me a facist-moderator if you like, but I edited out their information.   Please don't repost, let's be responsible.  A WTF is one thing, but something like this is a pretty big deal.



  •  I emailed the address that is listed as the contact on the WHOIS record, which is the same email on the 'Contact Us' link of the site.



  •  Did you also contact the 'Tech Support', i.e. local web shop?

    BTW, I agree - live WTFs possibly exposing CC info and addresses require responsibility. 



  • I emailed one of the client sites that had databases on that box, I think they deserve to know how their money has been used. Although I'm sure the dev would disclose such a serious breach in security had occured to his clients. It's only right. And of course I didnt execute any queries.



  • @Jeff S said:

    yikes! it is exposed.  OK, we need to contact them, seriously.  I hope everyone here will do the right thing and not abuse this info.

    We usually get one of these "open database" WTFs every 3 weeks or so.  The result is a bunch of morons making insufferable Bobby Tables jokes and generally fucking the database to hell within the first 30 minutes of it being posted.  This is followed by a circle jerk of self-congratulation at being such amazing hackers.  Finally, myself or someone else will call them all children and publicly wish for a law enforcement agency to track the crime back to this forum, followed by a subpoena to Alex and the poster being rewarded with a few years of being sodomized by neo-Nazis and Latino gang members in a state prison.  You think I'm joking, probably, and sadly I am not.  This is the general intelligence level of the forum at this point in time.

     

    Thanks for doing the right thing and redacting the info and trying to contact the site administrator.  Hopefully your efforts will pay off. 



  •  @uncaughtException said:

    I one of the client sites that had databases on that box, I think they deserve to know how their money has been used. Although I'm sure the dev would disclose such a serious breach in security had occured to his clients. It's only right. And of course I didnt execute any queries.

    Multiple clients are using that box?  Yet the server-wide SA account is being used?  I don't type this as often as I'd like these days but ... WTF?



  • @kswanton said:

    ...before someone gets 'DROP' happy?

    Considering the error message that appeared on the page says "Invalid object name 'tbl_Directory'.", it's possible that somebody [i]already did[/i].



  • Its been fixed, error no longer shows. But here's a quote from what looks like the dev team's website:

    • <FONT size=5>W</FONT><FONT size=+0>e are Digital Architects who design and build Digital Lifecycle Systems (DLS). Our unique DLS architecture:</FONT>
    • <FONT size=+0>Encourages biased user participation</FONT>
    • <FONT size=+0>Monitors user data in real-time</FONT>
    • <FONT size=+0>Efficiently manages dynamic e-commerce solutions </FONT>
    • <FONT size=+0>Our Custom DLS takes on life. This advanced technology encourages micro-economies that synergistically scale into living-digital-systems.</FONT>
    • <FONT size=+0><FONT size=5>O</FONT>ur expertise in Business Management, Macro Economics, Interior Design, Personnel Management, Real Estate, Data Systems, Outdoor Sports, Digital Audio / Video and Tourism insures a well grounded understanding of fundamental business principles.</FONT>
    • <FONT size=+0>We are the Leader.</FONT>
    • <FONT size=+0>We are the Innovator.</FONT>

    Sounds good....

    <FONT color=#ffffff>We are Digital Marketing Advisors.</FONT>



  • @uncaughtException said:

    • <font size="+0">We are the Leader.</font>
    • <font size="+0">We are the Innovator.</font>

     

     

    I am the Walrus. Coo coo ca choo?



  • @uncaughtException said:

    Its been fixed, error no longer shows. But here's a quote from what looks like the dev team's website:

    • <font size="5">W</font><font size="+0">e are Digital Architects who design and build Digital Lifecycle Systems (DLS). Our unique DLS architecture:</font>
    • <font size="+0">Encourages biased user participation</font>
    • <font size="+0">Monitors user data in real-time</font>
    • <font size="+0">Efficiently manages dynamic e-commerce solutions </font>
    • <font size="+0">Our Custom DLS takes on life. This advanced technology encourages micro-economies that synergistically scale into living-digital-systems.</font>
    • <font size="+0"><font size="5">O</font>ur expertise in Business Management, Macro Economics, Interior Design, Personnel Management, Real Estate, Data Systems, Outdoor Sports, Digital Audio / Video and Tourism insures a well grounded understanding of fundamental business principles.</font>
    • <font size="+0">We are the Leader.</font>
    • <font size="+0">We are the Innovator.</font>

     

     Wow, 90 words and not a shred of meaning.  After reading that I still have absolutely no idea what they actually do.




  • @morbiuswilters said:

    @Jeff S said:

    yikes! it is exposed.  OK, we need to contact them, seriously.  I hope everyone here will do the right thing and not abuse this info.

    We usually get one of these "open database" WTFs every 3 weeks or so.  The result is a bunch of morons making insufferable Bobby Tables jokes and generally fucking the database to hell within the first 30 minutes of it being posted.  This is followed by a circle jerk of self-congratulation at being such amazing hackers.  Finally, myself or someone else will call them all children and publicly wish for a law enforcement agency to track the crime back to this forum, followed by a subpoena to Alex and the poster being rewarded with a few years of being sodomized by neo-Nazis and Latino gang members in a state prison.  You think I'm joking, probably, and sadly I am not.  This is the general intelligence level of the forum at this point in time.

    Thanks for doing the right thing and redacting the info and trying to contact the site administrator.  Hopefully your efforts will pay off. 

    I really wonder why the fuck do these guys think that a DROP TABLE really_important_data is even remotely funny. The kind of idiot that leaves the DB open to the internet is the same kind of idiot that

    (a) doesn't do regular backups

    (b) doesn't encrypt sensitive info

    which means that when another idiot wipes the database, someone's losing critical data.

    Its one thing to do stuff like adding a table called "readme" which has rows saying "protect","your","database" or even someone putting "d00d was here"; but intentionally deleting stuff is frowned upon, even among hackers. Some idiots never learn, though.



  • @danixdefcon5 said:

    Its one thing to do stuff like adding a table called "readme" which has rows saying "protect","your","database" or even someone putting "d00d was here";

    That might make sense if you want to show absolutely that you have access to the database.  I always try to get into contact with the admins when I encounter security breaches like this. 



  • @morbiuswilters said:

    @danixdefcon5 said:

    Its one thing to do stuff like adding a table called "readme" which has rows saying "protect","your","database" or even someone putting "d00d was here";

    That might make sense if you want to show absolutely that you have access to the database.  I always try to get into contact with the admins when I encounter security breaches like this. 

    Sometimes, it's difficult to find the admin's contact information. Sometimes, the admin doesn't believe the danger level. In these times, doing something like that may be required, and it's less intrusive than adding a row to their main database labeled 'insecure', with every row having the value MININT.

    That having been said, I've only once had to resort to something like that (although my instance wasn't a database leak, but a web page to arbitrary execution as root hole, so I made a file named "/-Anyone can read or write to your filesystem anywhere they want-", and then told his boss about it a couple days later as he hadn't managed to fix the problem. He also had not managed to delete or rename that file, despite the fact that deleting the file had been his main focus over those days.) Oddly enough, his boss seemed to mind my involvement more than he minded the problem (although at least he realized that the problem needed fixing before anyone else found out.) He really didn't like hearing my offer to fix it for them, and especially did not like my gleeful reminder that, no, I didn't need to be "granted" access to the box to fix it - just the written permission to do so.

    Note: No, the boy wonder who couldn't figure out, even after two days of trying, how to remove a file with a leading dash or spaces in it wasn't fired. Well, at least, not for this incident.



  •  call me an asshole.. but if you cannot be bothered to even follow basic security best practices you get what you get.



  • @Kazan said:

    call me an asshole.. but if you cannot be bothered to even follow basic security best practices you get what you get.

    This hurts me more than it will hurt you: you're an asshole.  Wait, that didn't hurt me at all!  Anyway, there's no telling how this system got into this state.  It could be a company full of good developers with one moron sysadmin who ended up exposing the entire database.  Whatever damages are done extend far beyond the person(s) responsible for the breach.  In fact, this site has shown many times that competent people can end up screwed over by WTFy co-workers who aren't even reprimanded for their mistakes.  I think it's a bit presumptuous to assume that every person involved with that site deserves to have their data and systems wrecked.  Regardless, I was mostly complaining about the retards on this forum who trash an exposed system as soon as it is posted.  Even if the sysadmin was "asking for it", there is nothing lamer than destroying someone's data for the fuck of it. 



  • @morbiuswilters said:

    Even if the sysadmin was "asking for it", there is nothing lamer than destroying someone's data for the fuck of it. 
     

    Sure, it's fun to play around and feel all powerful when you find exploits, but wouldn't you rather take this obvious opportunity to make some good cash and (at least try to) sell your expertise to them to fix it?  If what was stated earlier about the knowledge of the company that leaves blatant holes like this, there's a good chance they don't have any employees that can fix this.



  • @Kazan said:

     call me an asshole.. but if you cannot be bothered to even follow basic security best practices you get what you get.

     

    You can argue that maybe the programmer deserves it, but not the company that employed the programmer.




  • @skippy said:

    Sure, it's fun to play around and feel all powerful when you find exploits, but wouldn't you rather take this obvious opportunity to make some good cash and (at least try to) sell your expertise to them to fix it?  If what was stated earlier about the knowledge of the company that leaves blatant holes like this, there's a good chance they don't have any employees that can fix this.

    I have thought about this in the context of open wi-fi networks. Just wander around your local neighbourhood scanning for open networks, and when you find one just knock on the door and tell the residents that they have a problem and you can fix it for them. The trouble is I can see two responses (well actually the same one) 1) A figurative punch in the nose and being told to get lost, 2) Total disbelief that either a) there is a problem, or b) that you can fix it for them. You have to get past these initial responses in order to get their business and I think that that requires a level of trust that can't be engendered just through knocking on someone's door and telling them that they have a problem.



  • @morbiuswilters said:

    @danixdefcon5 said:
    Its one thing to do stuff like adding a table called "readme" which has rows saying "protect","your","database" or even someone putting "d00d was here";

    That might make sense if you want to show absolutely that you have access to the database. I always try to get into contact with the admins when I encounter security breaches like this.


    Agreed. I emailed the contact folks after the 3rd response was posted. They responded w/in 30 minutes that they forwarded the issue to their web folks.



  • @skippy said:

    Sure, it's fun to play around and feel all powerful when you find exploits

    No, it's incredibly lame, especially for something as simple as an open database.  Now, if you manage to crack AES in your spare time, you can definitely sit back, gloat and feel like the strongest programming man ever.  However, if you use your knowledge for evil purposes you are still a dickbag.

     

    @skippy said:

    but wouldn't you rather take this obvious opportunity to make some good cash and (at least try to) sell your expertise to them to fix it?

    Because I have a good job that pays well and there is no way in hell I want to take on some company's broken software in my spare time for what will likely be a lower rate than my normal employment.  I'd much rather work on my own projects and attempt to generate a stable revenue stream for myself.  To each his own, I suppose.



  • @OzPeter said:

    I have thought about this in the context of open wi-fi networks. Just wander around your local neighbourhood scanning for open networks, and when you find one just knock on the door and tell the residents that they have a problem and you can fix it for them. The trouble is I can see two responses (well actually the same one) 1) A figurative punch in the nose and being told to get lost, 2) Total disbelief that either a) there is a problem, or b) that you can fix it for them. You have to get past these initial responses in order to get their business and I think that that requires a level of trust that can't be engendered just through knocking on someone's door and telling them that they have a problem.
     

    That would be an interesting social experiment; I'd be very curious to see the results of that and how people react.  But I agree that most people's responses would probably be on the negative side.  They'd equate it to someone breaking into their house and leaving a note offering to improve their locks/security -- they would feel "violated" somehow, thinking you spent a large amount of time and effort to "break into" their private network.



  • @OzPeter said:

    I have thought about this in the context of open wi-fi networks.

    Open wi-fi networks are a dime a dozen and the amount of damage that can be done is pretty minimal.  It's not the most likely vector for viruses and sniffing credit card info is going to be pretty hard with any site that uses SSL.  Personally, the last thing I want to do is become a freelance Geek Squad numbnuts. 



  • @Jeff S said:

    Call me a facist-moderator if you like, but I edited out their information. 
     

    Thank you. I think that was absolutely the right thing to do.

    Although you're still a facist-moderator. </joke> 



  • @morbiuswilters said:

    Open wi-fi networks are a dime a dozen

    Thus there is a very large potential market.
    @morbiuswilters said:
    and the amount of damage that can be done is pretty minimal.  It's not the most likely vector for viruses and sniffing credit card info is going to be pretty hard with any site that uses SSL.

    Old skool burglars only attack one property at a time, so the amount of damage that a single burglary can do is limited. But to the people who are burgled would consider that the amount of damage is very high. I am sure you could find all sorts of valuable things by scanning hard drives accessible as open shares on these networks. Alternatively there are other nefarious things you can do with an open network such as downloading illegal files of various types or even planting such files on various computers. I am sure that there would be a market to give people peace of mind that they are not aiding and abetting various crimes. However I do see this as more of selling the sizzle than the steak itself and that is not the sort of thing I would personally do.
    @morbiuswilters said:
    Personally, the last thing I want to do is become a freelance Geek Squad numbnuts.

    Totally agree. It is not my idea of a job, but it could be someone else's idea of a job.



  • @OzPeter said:

    I have thought about this in the context of open wi-fi networks. Just wander around your local neighbourhood scanning for open networks, and when you find one just knock on the door and tell the residents that they have a problem and you can fix it for them.
     

    Not a good analogy. Chances are that that open wifi is just handling a computer or two and maybe a printer in the same household. When you screw with an open DB on a publicly available web server, you have no idea what else is dependent on that DB (or server, for that matter). What if the moron who left the DB open for outside access was also stupid enough to put other important data in the same DB? Like [b]your[/] credit card number, which they got from a different web site hosted on the same server, which you have no idea was saved. Now some idiot comes along, gains access to the DB to prove what a h$x0r they are and finds the data.

    Is it better for you if they get to that data, or if they instead act responsibly and inform the web site admin?

    Myself, I'd agree with Jeff and Morb and the others that inform the admin. 



  •  Don't worry, everyone, I emailed Slashdot to have the problem fixed.



  • @OzPeter said:

    Totally agree. It is not my idea of a job, but it could be someone else's idea of a job.

    Let's strap laptops to homeless people and use that to gather a list of open access points! 



  • @morbiuswilters said:

    Let's strap laptops to homeless people and use that to gather a list of open access points!

    Man you're not thinking straight. As soon as a homeless person walks into an area where people can afford to have open wi-fi then someone's going to call the cops on him, and then ask where the hell he got that laptop from.


    What you need is an unobtrusive way to sneak into peoples neighbourhoods .. something that will blend in, something that people will want to have.


    That something is squirrels(*) .. squirrels with iPhones strapped to their backs, running a custom app that uses the wi-fi, the GPS and the phone system. Just overlay on a google maps mashup and there you go .. all the data you need for your wi-fi fixin' business

    • Can squirrel programming be considered a legitimate programming language?


  • @morbiuswilters said:

    @skippy said:

    Sure, it's fun to play around and feel all powerful when you find exploits

    No, it's incredibly lame

     

    Sorry, guess I wasn't clear (I do that a lot, so bear with me).  By playing around, I don't mean to drop tables.  I wouldn't do anything more than a proof of concept. It's like a sysadmin logging into the server as root at your workstation and forgetting to log out when he's done.  You get the feeling of having the power, but the fear of getting caught, or just some morals, wouldn't let you actually do anything.  The most you'd do is send an email to the company offering to buy everyone lunch.  And yeah, if you make enough money... it may not be worth your time.  I make enough money to be quite happy too, and my spare time is a luxury these days, so I wouldn't bother offering my services. But not everyone.  Some people would love to find a little desparate company that will hire them for $200/hr to fix their security.

    And as for walking around the neighborhood looking for exploits in wireless networks... That's really getting into the shady world of business ethics.  This would be a security company saleman walking through people's yards peeking through their windows looking for stuff worthy of stealing, then telling the people that they can protect that nice new 65" TV they "noticed" you had.  Plus that whole thing about it being more or less illegal to snoop on a neighbor's internet.  Could get you a lawsuit awfully quick.



  • @skippy said:

    And as for walking around the neighborhood looking for exploits in wireless networks... That's really getting into the shady world of business ethics.

    I didn't see any mention of looking for exploits in open wireless networks. It's kinda pointless anyway, what with the network being open and all. Unless you sell snake oil, that is.



  • @OzPeter said:

    * Can squirrel programming be considered a legitimate programming language?
    Only if they use SQL (Squirrel Query Language).

Log in to reply