[LINK] The ACS, TIPI and ICT in Australia

[Rick Welykochy]

--- Jan Whitaker <jwhit at melbpc.org.au> wrote:

> At 01:05 PM 19/08/2006, Karl Auer wrote:
> >and appears to contain the gist of the document:
> >
> >http://www.acs.org.au/index.cfm?action=notice&temID=noticedetails&notID=673O
> 
> cute:
> 
> Error Executing Database Query.
> [Macromedia][SQLServer JDBC Driver][SQLServer]Syntax error converting the 
> varchar value '673O' to a column of data type int.
[BIG SNIP]

The letter O was entered instead of the number zero for the variable notID.
'673O' should be '6730'.

The software is not resilient. Makes one wonder if any other more serious
things could be fired at this cold fusion code to break it.

What is far worse is that the error information (supposedly private and privileged
data) was dumped to the public.

A "500 Internal Server Error" would have sufficed in this case, with the actual
dump of information being sent privately to the webmaster.

Cluestick, anyone?

cheers
rickw




		
____________________________________________________ 
Do you Yahoo!? 
Yahoo! Dating: It's free to check out our great singles! 
http://au.personals.yahoo.com