Re: [Sguil-users] FYI: squil/pads exploit
Status: Beta
Brought to you by:
bamm
Menu
▾
▴
Re: [Sguil-users] FYI: squil/pads exploit
|
From: Bamm V. <bam...@gm...> - 2009-07-17 17:02:41
|
To clarify this, by "execute commands on the targeted SQL server", I meant SQL commands (SELECT, INSERT, DELETE, DROP, etc), not commands on the OS of the SQL server. Bamm On Fri, Jul 17, 2009 at 10:33 AM, Bamm Visscher<bam...@gm...> wrote: > Hey Everyone, > > This was reported to me about a month ago and I was not overly > concerned. I still would not rate this bug as "serious". > > A few things to note: > > 1) The author reported this bug as "SQL Injection". SQL Injection is > used to define a vulnerability where an unauthorized user is able to > execute commands on the targeted SQL server. Neither the author of the > report nor myself have been able to do that and I do NOT believe it is > possible. > > 2) This bug does allow a malicious user to force wrong data to be put > into a column in the PADS asset table. > > 3) When this happens, MySQL immediately throws an error. Sguild > catches that error and immediately logs it and exits. This is on > purpose. Sguild did not "crash". > > Finally, most of you know that I recently switched employment and am > working through a new intellectual property agreement. While I do not > have any reason to be concorned (my new employer is being very > gracious), it is still taking longer than expected. I am probably > being way over cautious, but I would prefer to wait until this process > has finished before I release any new code including bugfixes. > Although, if I believed this bug was serious, I would definitely get a > fix out there immediately. > > > I probably should have sent a note to the lists when this bug was > first reported, and I apologize for not doing so. > > Bamm > > > On Fri, Jul 17, 2009 at 5:08 AM, carlopmart<car...@gm...> wrote: >> Hi all, >> >> http://www.milw0rm.com/exploits/9175 >> >> Best regards. >> >> -- >> CL Martinez >> carlopmart {at} gmail {d0t} com >> >> ------------------------------------------------------------------------------ >> Enter the BlackBerry Developer Challenge >> This is your chance to win up to $100,000 in prizes! For a limited time, >> vendors submitting new applications to BlackBerry App World(TM) will have >> the opportunity to enter the BlackBerry Developer Challenge. See full prize >> details at: http://p.sf.net/sfu/Challenge >> _______________________________________________ >> Sguil-users mailing list >> Sgu...@li... >> https://lists.sourceforge.net/lists/listinfo/sguil-users >> > > > > -- > sguil - The Analyst Console for NSM > http://sguil.sf.net > -- sguil - The Analyst Console for NSM http://sguil.sf.net |
