While you 2 guys are lecturing everyone, maybe you'll find a few minutes to lecture the people that set the budgets for IT departments. You DO realize that's where the problems starts, right??? I know you must, since both of you seem to be incredibly intelligent and all. Cheers Mark Groen wrote: > On Monday 19 February 2007 03:06, der wert wrote: >> I've found it true that now a days the person that creates a website >> handles the system administration on the server. I don't mean in larger >> companies but the smaller ones. It seems that a lot of the webmasters >> aren't fully up to the task, they use crutches such as packages like >> cpanel, plesk, or webmin. It also seems true that many scripts that are put >> on sites aren't understood by the webmasters. This has become a big >> weakness, these users are able to get a website online but the problem is >> with keeping it online. They don't fully understand all of the workings or >> all of the options for the config files that the whm scripts never show the >> user. There are so many points of a server that needs to be secured and >> monitored and I fear that the further we get into the technology age the >> more and more common these crutches are becoming and more widely available. >> They've started to take over and now have become a sort of standard for >> hosting companies. These crutches are becoming a weakness, less and less >> knowledge is required in order to bring a site online. So many of these >> sites have security flaw that are just waiting to a malicious user to find. >> I would like to urge anyone that maybe reading this that doesn't have an >> understanding of how their server works that they "manage". I urge them to >> start to learn the workings of all the services. Try to learn the languages >> of the scripts you have running, try to understand the security aspects of >> these languages. These type of issues are a down fall and are the cause of >> servers being hacked/defaced. I've had my little rant, feel free to >> comment.D > > Nice rant, and pretty much agree with it. I'm one of those people that troll > web sites that you can't actually read unless you look at the source and > follow some links in it to the real content, and have a chuckle along with > every one else when a site like Nokia Canada gets goatsed. > > Look that word up if you must, but trust me, it isn't a pretty sight unless > you are into gross things. > > The Nokia case was a _very_basic_ SQL injection that should have not happened > with a bit of forethought. It was a typical of what I see all the time, the > input for an admin log-in was totally unfiltered, and the SQL itself used > wildcards no less. Dumb and dumber yet. > > Any odd mark would break it and show you the actual SQL error on the web > page - which means a bad server set up too, getting dumber yet... > >>From that day: > SQL : Select * From adminwebusers Where Username = ''' And Password = '' > just add ' OR 1='1 to the data you are sending and you're in, it's just that > easy. > > Even if you aren't sure which application they are using, many times you only > need to make it error out, and in many cases the table names are available > right there on your screen. A Google shows you what the application is if you > don't know already (in Nokia it didn't matter, no need to go any further to > bork it), download, a quick grep through the code and the rest is history. > > But it isn't funny of course when it's your own web site is borked.