RE: MOSS 2007 Search Engine Vulnerability
Hey Christian, I've never heard or seen anything to suggest either way, but I'd be surprised if MS wasn't on top of this, it's a common security threat. Would be very interested to know if it was injectable. You could try your own testing? Punch in something like '--drop dbo.tblname'? Not sure of the SP schema, I'm sure MS would slap my wrist if I knew it off-hand as it's not good practise :) C -Original Message- From: ozmoss-boun...@ozmoss.com [mailto:ozmoss-boun...@ozmoss.com] On Behalf Of chris_py_...@manulife.com Sent: Monday, 26 October 2009 12:25 PM To: ozMOSS Cc: ozMOSS; ozmoss-boun...@ozmoss.com Subject: MOSS 2007 Search Engine Vulnerability Hi Guys I was asked to provide information that MOSS 2007 search engine is free from SQL Injection Vulnerability. We tried to search information on google about this but couldn't really find any resources(formal/papers) to back us up to claim that it's safe from SQL injection It's pain in the backside these network people I tell you (no offense to network guys :D, especially Nathan hehehe) Regards Christian = Disclaimer: This message is intended only for the use of the person to whom it is expressly addressed and may contain information that is confidential and legally privileged. If you are not the intended recipient, you are hereby notified that any use, reliance on, reference to, review, disclosure or copying of the message and the information it contains for any purpose is prohibited. If you have received this message in error, please notify the sender by reply e-mail of the misdelivery and delete all its contents. Opinions, conclusions and other information in this message that do not relate to the official business of the Company shall be understood as neither given nor endorsed by it. ___ ozmoss mailing list ozmoss@ozmoss.com http://prdlxvm0001.codify.net/mailman/listinfo/ozmoss ___ ozmoss mailing list ozmoss@ozmoss.com http://prdlxvm0001.codify.net/mailman/listinfo/ozmoss
RE: MOSS 2007 Search Engine Vulnerability
I have two sets of business cards - one set specifically to deal with network admins and security Nazis :-) The latter has my certs on it. If you want to deal with the security nazi, then send them to securityfocus.com and search the database there. It contains a huge database of vulnerabilities across vendor and product. If anything has been found, it will be here. http://www.securityfocus.com/vulnerabilities Regards Paul (CISSP and former anal retentive security nazi :-) -Original Message- From: ozmoss-boun...@ozmoss.com [mailto:ozmoss-boun...@ozmoss.com] On Behalf Of chris_py_...@manulife.com Sent: Monday, 26 October 2009 10:35 AM To: ozMOSS Cc: ozMOSS; ozmoss-boun...@ozmoss.com Subject: RE: MOSS 2007 Search Engine Vulnerability I have tried some common sql injection method like '1=1' thing however it looks like it handles it fine, however they are not entirely satisfied with the testing as they need some sort of proofs that it is 'really' free from SQL injection threat. We might need to change MOSS search engine to google search because of this :(, this is so downright stupid sorry I'm just being frustrated right now :) ___ ozmoss mailing list ozmoss@ozmoss.com http://prdlxvm0001.codify.net/mailman/listinfo/ozmoss
RE: MOSS 2007 Search Engine Vulnerability
that's great, i wasn't aware of the automated tool although I wasn't surprised someone actually wrote that :) Paul Noone paul.no...@ceosy d.catholic.edu.au To ozMOSS ozmoss@ozmoss.com Sent by: cc ozmoss-boun...@oz moss.com Subject RE: MOSS 2007 Search Engine Vulnerability 10/26/2009 10:47 AM Please respond to ozMOSS ozm...@ozmoss.co m If SQL injection wasn't covered through basic coding best practices then this threat would apply to every single input field within MOSS. I would be very surprised if MS didn't have this covered but have not spent any real time testing. There's an add-on for Firefox than can be used for testing which looks like the following. It basically provides a number of common injections to be inserted into every field (including hidden fields) on a page. You can also override the action and method. (Embedded image moved to file: pic25230.jpg) -Original Message- From: ozmoss-boun...@ozmoss.com [mailto:ozmoss-boun...@ozmoss.com] On Behalf Of chris_py_...@manulife.com Sent: Monday, 26 October 2009 1:35 PM To: ozMOSS Cc: ozMOSS; ozmoss-boun...@ozmoss.com Subject: RE: MOSS 2007 Search Engine Vulnerability I have tried some common sql injection method like '1=1' thing however it looks like it handles it fine, however they are not entirely satisfied with the testing as they need some sort of proofs that it is 'really' free from SQL injection threat. We might need to change MOSS search engine to google search because of this :(, this is so downright stupid sorry I'm just being frustrated right now :) Chris Milne chris.mi...@data aspects.com.auTo Sent by: ozMOSS ozmoss@ozmoss.com ozmoss-boun...@oz cc moss.com Subject RE: MOSS 2007 Search Engine 10/26/2009 10:28 Vulnerability AM Please respond to ozMOSS ozm...@ozmoss.co m Hey Christian, I've never heard or seen anything to suggest either way, but I'd be surprised if MS wasn't on top of this, it's a common security threat. Would be very interested to know if it was injectable. You could try your own testing? Punch in something like '--drop dbo.tblname'? Not sure of the SP schema, I'm sure MS would slap my wrist if I knew it off-hand as it's not good practise :) C -Original Message- From: ozmoss-boun...@ozmoss.com [mailto:ozmoss-boun...@ozmoss.com] On Behalf Of chris_py_...@manulife.com Sent: Monday, 26 October 2009 12:25 PM To: ozMOSS Cc: ozMOSS; ozmoss-boun...@ozmoss.com Subject: MOSS 2007 Search Engine Vulnerability Hi Guys I was asked to provide information that MOSS 2007 search engine is free from SQL Injection Vulnerability. We tried to search information on google about this but couldn't really find any resources(formal/papers) to back us up to claim that it's safe from SQL injection It's pain in the backside these network people I tell you (no offense to network guys :D, especially Nathan hehehe) Regards Christian = Disclaimer: This message is intended only for the use of the person to whom it is expressly addressed and may contain information that is confidential and legally privileged. If you are not the intended recipient, you are hereby notified that any use, reliance on, reference to, review, disclosure or copying of the message and the information it contains for any
RE: MOSS 2007 Search Engine Vulnerability
The SP Indexing process and how it works - randomized ... http://technet.microsoft.com/en-us/magazine/2007.01.search.aspx There are many more sources available. -Original Message- From: ozmoss-boun...@ozmoss.com [mailto:ozmoss-boun...@ozmoss.com] On Behalf Of chris_py_...@manulife.com Sent: Monday, 26 October 2009 2:38 PM To: ozMOSS Cc: ozMOSS; ozmoss-boun...@ozmoss.com Subject: RE: MOSS 2007 Search Engine Vulnerability that;s interesting paul, that probably can save me from this situation. Where can I find info about it? To be honest I'm not quite sure how the query server and its indexes truly work Paul Turner paul.tur...@dws. com.auTo Sent by: ozMOSS ozmoss@ozmoss.com ozmoss-boun...@oz cc moss.com Subject RE: MOSS 2007 Search Engine 10/26/2009 11:22 Vulnerability AM Please respond to ozMOSS ozm...@ozmoss.co m I don’t think it CAN happen... the search (query server) uses the indexed that get populated by the indexer. There is no SQL access, it is reading the index off disk. Regards, Paul Turner Senior Solutions Specialist M: 0412 748 168 P: 08 8238 0912 F: 08 8234 5966 A: 66 Henley Beach Road, Mile End SA 5031 E: paul.tur...@dws.com.au W: www.dws.com.au (Embedded image moved to file: pic22972.jpg)dws logo ADVANCED BUSINESS SOLUTIONS LTD This email and any files transmitted with it are confidential and are only for the use of the person to whom they are addressed. If you are not the intended recipient you have received this email in error and are requested to delete it immediately. Any opinion expressed in this e-mail may not necessarily be that of DWS Pty Ltd. Please consider the environment before printing this email. From: ozmoss-boun...@ozmoss.com [mailto:ozmoss-boun...@ozmoss.com] On Behalf Of Paul Noone Sent: Monday, 26 October 2009 1:24 PM To: ozMOSS Subject: RE: MOSS 2007 Search Engine Vulnerability And a little bit of testing reveals that there is definitely some checking going on. Depending on your attempts, SharePoint returns an error I haven’t seen before: Your search cannot be completed because of a service error. Try your search again or contact your administrator for more information. Regards, Paul Online Developer, ICT CEO Sydney From: ozmoss-boun...@ozmoss.com [mailto:ozmoss-boun...@ozmoss.com] On Behalf Of Paul Noone Sent: Monday, 26 October 2009 1:50 PM To: ozMOSS Subject: RE: MOSS 2007 Search Engine Vulnerability If SQL injection wasn't covered through basic coding best practices then this threat would apply to every single input field within MOSS. I would be very surprised if MS didn't have this covered but have not spent any real time testing. There's an add-on for Firefox than can be used for testing which looks like the following. It basically provides a number of common injections to be inserted into every field (including hidden fields) on a page. You can also override the action and method. (Embedded image moved to file: pic00628.jpg) -Original Message- From: ozmoss-boun...@ozmoss.com [mailto:ozmoss-boun...@ozmoss.com] On Behalf Of chris_py_...@manulife.com Sent: Monday, 26 October 2009 1:35 PM To: ozMOSS Cc: ozMOSS; ozmoss-boun...@ozmoss.com Subject: RE: MOSS 2007 Search Engine Vulnerability I have tried some common sql injection method like '1=1' thing however it looks like it handles it fine, however they are not entirely satisfied with the testing as they need some sort of proofs that it is 'really' free from SQL injection threat. We might need to change MOSS search engine to google search because of this :(, this is so downright stupid sorry I'm just being frustrated right now :) Chris Milne chris.mi...@data aspects.com.au