I would report it to them. It accomplishes several things; it establishes your credibility vis a vis your qualifications, it establishes your *honesty* (you were willing to warn them rather than take advantage of it), it gives you an opportunity to see how *they* will react when you warn them of an exploitable hole (do you really want to work for a company that would ignore such obvious blunders?) and it places you head and shoulders above their existing staff.
Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ > -----Original Message----- > From: joseph blater [mailto:[EMAIL PROTECTED] > Sent: Monday, June 23, 2003 12:49 AM > To: [EMAIL PROTECTED] > Subject: [Full-Disclosure] Sql Injection big5 consultancy > > > Hello list, > > While updating my resume at a regional HR site of a top5 > consultancy, I > faced a programming bug (terribly written asp dissapeared > with my session > id), which returned an OLE Error. > I decided to make a little test, so I started playing with > sql injection. > Surprisingly, it worked. Every Sql Server attack I attempted > worked, no > stripping or customized exceptions. > So far, I counted over 50 fields in the same table... damned > be their dba. > This table has all candidate resumes and, deducing by the > names of the > fields, all employees resumes with current classification > inside the corp > (Potential,Supervisor,Inscription and so on). _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
