| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: pauls at utdallas.edu (Schmehl, Paul L) Subject: Sql Injection big5 consultancy I would report it to them. It accomplishes several things; it establishes your credibility vis a vis your qualifications, it establishes your *honesty* (you were willing to warn them rather than take advantage of it), it gives you an opportunity to see how *they* will react when you warn them of an exploitable hole (do you really want to work for a company that would ignore such obvious blunders?) and it places you head and shoulders above their existing staff. Paul Schmehl (pauls@...allas.edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ > -----Original Message----- > From: joseph blater [mailto:t5con@...mail.com] > Sent: Monday, June 23, 2003 12:49 AM > To: full-disclosure@...ts.netsys.com > Subject: [Full-Disclosure] Sql Injection big5 consultancy > > > Hello list, > > While updating my resume at a regional HR site of a top5 > consultancy, I > faced a programming bug (terribly written asp dissapeared > with my session > id), which returned an OLE Error. > I decided to make a little test, so I started playing with > sql injection. > Surprisingly, it worked. Every Sql Server attack I attempted > worked, no > stripping or customized exceptions. > So far, I counted over 50 fields in the same table... damned > be their dba. > This table has all candidate resumes and, deducing by the > names of the > fields, all employees resumes with current classification > inside the corp > (Potential,Supervisor,Inscription and so on).
Powered by blists - more mailing lists