Web Wiz Forums - SQL Injections?

Print Page | Close Window

SQL Injections?

Printed From: Web Wiz Forums
Category: Web Wiz Web App Support Forums
Forum Name: Web Wiz Forums
Forum Description: Support forum for Web Wiz Forums application.
URL: https://forums.webwiz.net/forum_posts.asp?TID=15660
Printed Date: 13 April 2026 at 1:47pm
Software Version: Web Wiz Forums 12.08 - https://www.webwizforums.com

Topic: SQL Injections?

Posted By: UnderWarrior
Subject: SQL Injections?
Date Posted: 29 June 2005 at 10:54am

one person took control on other user in my forum, and he said he done that using sql injection in the forum.

Is there any such known vuln' for version 7.91?

Replies:

Posted By: WebWiz-Bruce
Date Posted: 29 June 2005 at 11:35am

All input is carefully screened using specially created filters , functions, etc. (over 3 months full-time work and 500 hours where spent on these filters and other security protection) to prevent any type of SQL injection.

Usually if someone gets in as another users it is becuase they have used an easy to guess password, or they used a shared computer and used the auto-login feature.

-------------
https://www.webwiz.net/web-wiz-forums/forum-hosting.htm" rel="nofollow - Web Wiz Forums Hosting
https://www.webwiz.net/web-hosting/windows-web-hosting.htm" rel="nofollow - ASP.NET Web Hosting

Posted By: wistex
Date Posted: 03 July 2005 at 8:38pm

WWF is good at detecting SQL injection. I've had WWF tested by a friend of mine and he couldn't get in using that trick.

WWF's security is so good, that I use it to power the login for my entire website. Any other scripts I install, I modify to use WWF to handle members and login/logout. Some of the other scripts I have purchased or downloaded from other people were vulnerable to that kind of attack, so modifying it to use WWF's member management made those scripts secure.

-------------
http://www.wistex.com" rel="nofollow - WisTex Solutions
http://www.caribbeanchoice.com/forums" rel="nofollow - CaribbeanChoice Forums

Posted By: wistex
Date Posted: 03 July 2005 at 8:39pm

Have him e-mail you exactly what he did. I bet he won't. He's probably bluffing since he probably did what Borg suggested instead.

-------------
http://www.wistex.com" rel="nofollow - WisTex Solutions
http://www.caribbeanchoice.com/forums" rel="nofollow - CaribbeanChoice Forums

Posted By: UnderWarrior
Date Posted: 04 July 2005 at 5:17am

He said something like "find yourself, i won't tell". guess you're right

Posted By: JJLatWebWiz
Date Posted: 26 July 2005 at 2:05pm

WWF does seem to be well secured against SQL Injection exploits. I haven't gone through every last input field to make sure it uses the formatInput and formatSQLInput function, but coverage seems comprehensive. Here is a good introduction to SQL Injection attacks with some good examples to test: http://www.unixwiz.net/techtips/sql-injection.html - http://www.unixwiz.net/techtips/sql-injection.html

One area of vulnerability in WWF compared to the examples in the site above is that an attacker can easily acquire the entire source code and can know with near absolute certainty the name of every table and field.

Even if WWF were wide open to SQL Injection exploits, using SQL Injection alone, an attacker could not acquire a user password in order to act as that user. Using SQL Injection and still assuming WWF were vulnerable, an attacker could change the user email address and then reset the password in order to act as that user after the reset. Obviously the legitimate user could no longer log in with the old password and the email address would be a telltail sign of the attack.