Web Wiz - Green Windows Web Hosting - Celebrating 25 Years!
Web Wiz Homepage Search Web Wiz

  New Posts New Posts RSS Feed - SQL Injections?
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

SQL Injections?
 Post Reply Post Reply
Author
  Topic Search Topic Search  Topic Options Topic Options
UnderWarrior View Drop Down
Newbie
Newbie


Joined: 18 January 2005
Status: Offline
Points: 10 		Post Options Post Options   Thanks (0) Thanks(0)   Quote UnderWarrior Quote  Post ReplyReply Direct Link To This Post Topic: SQL Injections?
    Posted: 29 June 2005 at 10:54am
one person took control on other user in my forum, and he said he done that using sql injection in the forum.

Is there any such known vuln' for version 7.91?
Back to Top
WebWiz-Bruce View Drop Down
Admin Group
Admin Group
Avatar
Web Wiz Developer

Joined: 03 September 2001
Location: Bournemouth
Status: Offline
Points: 9844 		Post Options Post Options   Thanks (0) Thanks(0)   Quote WebWiz-Bruce Quote  Post ReplyReply Direct Link To This Post Posted: 29 June 2005 at 11:35am
All input is carefully screened using specially created filters , functions, etc. (over 3 months full-time work and 500 hours where spent on these filters and other security protection) to prevent any type of SQL injection.

Usually if someone gets in as another users it is becuase they have used an easy to guess password, or they used a shared computer and used the auto-login feature.
Web Wiz Forums Hosting
ASP.NET Web Hosting
Back to Top
wistex View Drop Down
Mod Builder Group
Mod Builder Group


Joined: 30 August 2003
Location: United States
Status: Offline
Points: 877 		Post Options Post Options   Thanks (0) Thanks(0)   Quote wistex Quote  Post ReplyReply Direct Link To This Post Posted: 03 July 2005 at 8:38pm
WWF is good at detecting SQL injection.  I've had WWF tested by a friend of mine and he couldn't get in using that trick.
 
WWF's security is so good, that I use it to power the login for my entire website.  Any other scripts I install, I modify to use WWF to handle members and login/logout.  Some of the other scripts I have purchased or downloaded from other people were vulnerable to that kind of attack, so modifying it to use WWF's member management made those scripts secure.
WisTex Solutions
CaribbeanChoice Forums
Back to Top
wistex View Drop Down
Mod Builder Group
Mod Builder Group


Joined: 30 August 2003
Location: United States
Status: Offline
Points: 877 		Post Options Post Options   Thanks (0) Thanks(0)   Quote wistex Quote  Post ReplyReply Direct Link To This Post Posted: 03 July 2005 at 8:39pm
Have him e-mail you exactly what he did.  I bet he won't.  He's probably bluffing since he probably did what Borg suggested instead.
WisTex Solutions
CaribbeanChoice Forums
Back to Top
UnderWarrior View Drop Down
Newbie
Newbie


Joined: 18 January 2005
Status: Offline
Points: 10 		Post Options Post Options   Thanks (0) Thanks(0)   Quote UnderWarrior Quote  Post ReplyReply Direct Link To This Post Posted: 04 July 2005 at 5:17am
He said something like "find yourself, i won't tell". guess you're right
Back to Top
JJLatWebWiz View Drop Down
Groupie
Groupie
Avatar

Joined: 02 March 2005
Location: United States
Status: Offline
Points: 136 		Post Options Post Options   Thanks (0) Thanks(0)   Quote JJLatWebWiz Quote  Post ReplyReply Direct Link To This Post Posted: 26 July 2005 at 2:05pm
WWF does seem to be well secured against SQL Injection exploits.  I haven't gone through every last input field to make sure it uses the formatInput and formatSQLInput function, but coverage seems comprehensive.  Here is a good introduction to SQL Injection attacks with some good examples to test: http://www.unixwiz.net/techtips/sql-injection.html
 
One area of vulnerability in WWF compared to the examples in the site above is that an attacker can easily acquire the entire source code and can know with near absolute certainty the name of every table and field.
 
Even if WWF were wide open to SQL Injection exploits, using SQL Injection alone, an attacker could not acquire a user password in order to act as that user.  Using SQL Injection and still assuming WWF were vulnerable, an attacker could change the user email address and then reset the password in order to act as that user after the reset.  Obviously the legitimate user could no longer log in with the old password and the email address would be a telltail sign of the attack.
 
 
Back to Top
 Post Reply Post Reply

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 12.08
Copyright ©2001-2026 Web Wiz Ltd.

Become a Fan on Facebook Follow us on X Connect with us on LinkedIn Web Wiz Blogs
About Web Wiz | Contact Web Wiz | Terms & Conditions | Cookies | Privacy Notice

Web Wiz is the trading name of Web Wiz Ltd. Company registration No. 05977755. Registered in England and Wales.
Registered office: Web Wiz Ltd, Unit 18, The Glenmore Centre, Fancy Road, Poole, Dorset, BH12 4FB, UK.

Prices exclude VAT at 20% unless otherwise stated. VAT No. GB988999105 - $, € prices shown as a guideline only.

Copyright ©2001-2026 Web Wiz Ltd. All rights reserved.