Buy the Whitehouse, get an SQL injection attack

The Internet casino and poker house GoldenPalace.com bought up the only known deed for The White House as reported by The Inquirer.

Except that the link that the inq uses to get to the page telling the story at casinocitytimes.com revealed a little more information than they should have.   Because the URL on the inq was mistyped – they tried to make two links but only made one broken one.

When I clicked on the link: http://www.casinocitytimes.com/news/article.cfm?contentID=153470%5D %20and%20here%20[http://realtytimes.com/rtcpages/20050831_titleinsurance.htm I received an error page that was obviously the result of an unchecked contentID being passed right from the url into the SQL.

This is a classic case of unchecked user supplied data being trusted which leads to a compromise in security and some very red faces when some naughty people get hold of it.

I hope they fix it soon.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

All content © Paul Gregg, 1994 - 2024
This site http://pgregg.com has been online since 5th October 2000
Previous websites live at various URLs since 1994