Error on Fox23news.com
Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Error on Fox23news.com

  1. #1
    Member
    Join Date
    Feb 2003
    Posts
    30

    Error on Fox23news.com

    if you go to www.fox23news.com and use there search ability on theyir website... it opens a interesting server error.... can anyone explain the security implications of this particulars mistake?

    so upon closer inspection i guess its just a mistake in a asp codeing... since the varibles ar enever shown (i didnt notice anyway, i dont programme asp) there is very little that an intruder could do right?
    \"All parts should go together without forcing. You must remember that the parts you are reassembling were disassembled by you. Therefore, if you can\'t get them together again, there must be a reason. By all means, do not use a hammer.\" -- IBM maintenance manual, 1975

  2. #2
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    Yakes!

    Having your code displayed is not something you would usually want...
    In this case, at minimum, it does show some of the database tables' structure which could potentially be usefull for a would be intruder...

    Also, (although I looked really quickly) I don't think I've seen the input being escaped... Potential sql injection problem...

    Ammo
    Credit travels up, blame travels down -- The Boss

  3. #3
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Let's also discuss the possibility of compromise via the D: drive if permissions are not properly set..... Let's also think about the fact that the data sources are enumerated so access could be gained to all the data, and who knows what else is held in that database..... some nice juicy passwords for example......

    This code should probably have been tested in production.....<S>
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #4
    It's written in ASP.NET. If you click on the second link on the page, the 'Show complete source listing....' (or something like that), you get an autogenerated code listing of around 1600 lines! I would have attached it as a text file, but for some reason the AO graphics don't seem to be loading and I can't post a proper reply!
    Flod!

  5. #5
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    Originally posted here by Nizead
    It's written in ASP.NET. If you click on the second link on the page, the 'Show complete source listing....' (or something like that), you get an autogenerated code listing of around 1600 lines! I would have attached it as a text file, but for some reason the AO graphics don't seem to be loading and I can't post a proper reply!
    Hum, yeah, well, we had noticed... that's what we've based our comments on...

    Ammo
    Credit travels up, blame travels down -- The Boss

  6. #6
    Senior Member
    Join Date
    Jan 2003
    Posts
    242
    hEY IT'S A DAY LATER AND IT IS STILL MESSED UP!! i WOND(shoot, caps!) I wonder if that means there will be a job openeing soon if it leads to something not in their best interest. Now not working in the field my immediate assumption is that stuff happens but it's going on 24 hours-Isn't this a bit long???
    the only way to fix it is to flush it all away-tool

  7. #7
    Senior Member cwk9's Avatar
    Join Date
    Feb 2002
    Posts
    1,211
    Just posting the output so people know what the hell this thread is about after they fix it.
    Its not software piracy. Iím just making multiple off site backups.

  8. #8
    Senior Member
    Join Date
    Oct 2001
    Location
    Texas!
    Posts
    270
    Has anyone emaild them about the problem, possible fixes, and WHY they would want to fix it?

    [gloworange]DISLEX[/gloworange]

  9. #9
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    I wanted to e-mail em, but I just couldn't find an e-mail addy!

    Ammo
    Credit travels up, blame travels down -- The Boss

  10. #10
    Senior Member
    Join Date
    Dec 2002
    Location
    Fresnoooo
    Posts
    327
    I just e-mailed clear channel (the company who owns the website) this is what I wrote. Nothing fancy, but something that hopefully will get their guru's working on it! Here's what I wrote!

    To whom it may concern, as a security advocate, I feel that it is my duty to inform you that one of the websites on the clear channel network is a huge security vulnerability right now. http://www.fox23news.com/ when you use the search function, it gives you an error which displays very sensitive information about your network structure. Please forward this e-mail to your IT department!

    Also note, I am including the information available by the webpage, and have pasted it in the message for your review.


    . . . hopefully, they'll fix it!
    Because I am a woman, I must make unusual efforts to succeed. If I fail, no one will say, "She doesn't have what it takes"; They will say, "Women don't have what it takes".
    Clare Boothe Luce

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •