[LINK] The ACS, TIPI and ICT in Australia
rchirgwin at ozemail.com.au
rchirgwin at ozemail.com.au
Sat Aug 19 19:27:43 AEST 2006
Rick,
Rick Welykochy wrote:
>--- Jan Whitaker <jwhit at melbpc.org.au> wrote:
>
>
>
>>At 01:05 PM 19/08/2006, Karl Auer wrote:
>>
>>
>>>and appears to contain the gist of the document:
>>>
>>>http://www.acs.org.au/index.cfm?action=notice&temID=noticedetails¬ID=673O
>>>
>>>
>>cute:
>>
>>Error Executing Database Query.
>>[Macromedia][SQLServer JDBC Driver][SQLServer]Syntax error converting the
>>varchar value '673O' to a column of data type int.
>>
>>
>[BIG SNIP]
>
>The letter O was entered instead of the number zero for the variable notID.
>'673O' should be '6730'.
>
>The software is not resilient. Makes one wonder if any other more serious
>things could be fired at this cold fusion code to break it.
>
>What is far worse is that the error information (supposedly private and privileged
>data) was dumped to the public.
>
>
And worse, this is a long-standing habit of Cold Fusion which keeps
cropping up. I recall writing about a similar problem, reported by CERT,
in 2003. What seems to happen is that specific bugs causing the dump get
fixed, but the habit of producing the dump does not.
RC
>A "500 Internal Server Error" would have sufficed in this case, with the actual
>dump of information being sent privately to the webmaster.
>
>Cluestick, anyone?
>
>cheers
>rickw
>
>
>
>
>
>____________________________________________________
>Do you Yahoo!?
>Yahoo! Dating: It's free to check out our great singles!
>http://au.personals.yahoo.com
>_______________________________________________
>Link mailing list
>Link at mailman.anu.edu.au
>http://mailman.anu.edu.au/mailman/listinfo/link
>
>
>
More information about the Link
mailing list