Question: What is an SQL injection crack, and what did this developer do wrong to make his site so crackable?
I want to be sure I'm not doing the same thing. Casey -----Original Message----- From: J.R. Pitts [mailto:listuser@;wjponline.com] Sent: Friday, October 25, 2002 8:51 PM To: [EMAIL PROTECTED] Subject: [wdvltalk] ETHICS: Should I tell them their web site is insecure? Here's the situation. Several months ago I was contacted by a potential client about doing a web site for them. They wanted to provide a service through their web site for which they would charge and accept payment via credit cards. Long story shortened: I didn't get the job. I inquired a couple of times, but was never re-contacted. I figured they just weren't going to do it. Well, they did do it, but had someone else program it. I was somewhat miffed that they used someone else. I was looking around the "free" area and noticed numerous spelling, grammatical, and other errors. It hit me how unprofessional the job was; and wondered just exactly how secure it was. It was _very_ insecure. The web site was wide open to SQL injection cracks. We're talking script-monkey easy. There for the taking are all of their customer's names, addresses, id's and passwords, SSN's, phone numbers, *CREDIT CARD NUMBERS AND EXPIRATION DATES* with billing addresses. Do I tell them? My initial reaction was to tell them. My main motivation was "See what you got? You're gonna get hacked." I can tell them they have a problem and here's what people can do. If you want me to tell you how to fix it, that's gonna cost you. I bounced this off some people whose opinion I deeply respect, but who have no Internet law knowledge. The consensus is that I _had_ to tell them they were vulnerable. I wasn't required to fix it for free or tell them why they were vulnerable; but I had an ethical mandate to alert them, because innocent people could get hurt. But, if I tell them, they are going to want to know how I know. I cracked into their web site. Although I would never use such information, it could be argued that I performed an illegal activity just by checking. Other than checking with my lawyer, which I am already going to do, does anyone have any suggestions? Anyone ever been in a similar situation. J.R. ____ * The WDVL Discussion List from WDVL.COM * ____ To Join wdvltalk, Send An Email To: mailto:wdvltalk-join@;lists.wdvl.com Send Your Posts To: [EMAIL PROTECTED] To change subscription settings to the wdvltalk digest version: http://wdvl.internet.com/WDVL/Forum/#sub ________________ http://www.wdvl.com _______________________ You are currently subscribed to wdvltalk as: [EMAIL PROTECTED] To unsubscribe send a blank email to %%email.unsub%% ____ � The WDVL Discussion List from WDVL.COM � ____ To Join wdvltalk, Send An Email To: mailto:wdvltalk-join@;lists.wdvl.com Send Your Posts To: [EMAIL PROTECTED] To change subscription settings to the wdvltalk digest version: http://wdvl.internet.com/WDVL/Forum/#sub ________________ http://www.wdvl.com _______________________ You are currently subscribed to wdvltalk as: [email protected] To unsubscribe send a blank email to [EMAIL PROTECTED]
