SQL Injection Attack Infects Thousands of Websites - Linux

This is a discussion on SQL Injection Attack Infects Thousands of Websites - Linux ; http://www.modsecurity.org/blog/ Well, well Didn't Erik F tell us just lately that there are no security holes for IIS? And don't the wintrolls fall over themselves asserting that they browse completely secure because they use "AV" (that fairy dust potion which ...

+ Reply to Thread
Page 1 of 2 1 2 LastLast
Results 1 to 20 of 28

Thread: SQL Injection Attack Infects Thousands of Websites

  1. SQL Injection Attack Infects Thousands of Websites

    http://www.modsecurity.org/blog/

    Well, well

    Didn't Erik F tell us just lately that there are no security holes for IIS?

    And don't the wintrolls fall over themselves asserting that they browse
    completely secure because they use "AV" (that fairy dust potion which
    averts "malware")
    --
    Tact, n.:
    The unsaid part of what you're thinking.


  2. Re: SQL Injection Attack Infects Thousands of Websites

    On Thu, 10 Jan 2008 09:40:36 +0100, Peter Köhlmann
    wrote:

    >http://www.modsecurity.org/blog/
    >
    >Well, well
    >
    >Didn't Erik F tell us just lately that there are no security holes for IIS?
    >
    >And don't the wintrolls fall over themselves asserting that they browse
    >completely secure because they use "AV" (that fairy dust potion which
    >averts "malware")


    "Long-Term Fix: Correct the Code

    Web Developers should identify and correct any Input Validation errors
    in their code"

    Nuff said, you idiot.


  3. Re: SQL Injection Attack Infects Thousands of Websites

    OK wrote:

    > On Thu, 10 Jan 2008 09:40:36 +0100, Peter Köhlmann
    > wrote:
    >
    >>http://www.modsecurity.org/blog/
    >>
    >>Well, well
    >>
    >>Didn't Erik F tell us just lately that there are no security holes for
    >>IIS?
    >>
    >>And don't the wintrolls fall over themselves asserting that they browse
    >>completely secure because they use "AV" (that fairy dust potion which
    >>averts "malware")

    >
    > "Long-Term Fix: Correct the Code
    >
    > Web Developers should identify and correct any Input Validation errors
    > in their code"
    >
    > Nuff said, you idiot.


    How come that Erik Funkenbusch tells us that there are no security holes for
    IIS?

    And this report tells us that there are

    And how come that the wintrolls (you and your filthy ilk) tell us that there
    are no problems surfing the wen, they are "secure", the run AV software
    which protects them (and this report *again* tells us that wet paper bags
    are more secure)

    You have the nerve to call someone an idiot, but can't answer a single one
    of the questions?
    "Otto Kaiser", being a mentally challenged plant (a rotten one, to boot)
    does not excuse your total stupidity and dishonesty
    --
    Support bacteria -- it's the only culture some people have!


  4. Re: SQL Injection Attack Infects Thousands of Websites

    * Peter Köhlmann fired off this tart reply:

    > http://www.modsecurity.org/blog/
    >
    > Well, well
    >
    > Didn't Erik F tell us just lately that there are no security holes for IIS?
    >
    > And don't the wintrolls fall over themselves asserting that they browse
    > completely secure because they use "AV" (that fairy dust potion which
    > averts "malware")


    "If these web sites were front-ended by an Apache reverse proxy
    server (with ModSecurity and the Core Rules) then the back-end IIS/MS
    SQL application servers would have been protected against this
    attack. The free Core Rules, which are available for download from
    the the ModSecurity web site, include SQL injection rules that would
    have identified and blocked this specific automated attack."

    --
    The increasing percentage of Vista isn't growth -- it's molting.

  5. Re: SQL Injection Attack Infects Thousands of Websites

    * OK fired off this tart reply:

    > On Thu, 10 Jan 2008 09:40:36 +0100, Peter Köhlmann
    > wrote:
    >
    >>http://www.modsecurity.org/blog/
    >>
    >>Didn't Erik F tell us just lately that there are no security holes for IIS?
    >>
    >>And don't the wintrolls fall over themselves asserting that they browse
    >>completely secure because they use "AV" (that fairy dust potion which
    >>averts "malware")

    >
    > "Long-Term Fix: Correct the Code
    >
    > Web Developers should identify and correct any Input Validation errors
    > in their code"
    >
    > Nuff said, you idiot.


    You missed the "Immediate Fix": Use ModSecurity and the Core Rules

    --
    The increasing percentage of Vista isn't growth -- it's molting.

  6. Re: SQL Injection Attack Infects Thousands of Websites

    In comp.os.linux.advocacy, Peter Köhlmann

    wrote
    on Thu, 10 Jan 2008 09:40:36 +0100
    :
    > http://www.modsecurity.org/blog/
    >
    > Well, well
    >
    > Didn't Erik F tell us just lately that there are no security holes for IIS?
    >
    > And don't the wintrolls fall over themselves asserting that they browse
    > completely secure because they use "AV" (that fairy dust potion which
    > averts "malware")


    Well, at least http://packages.gentoo.org is back up,
    but for quite awhile it was the victim of (and taken down
    because of) a similar attack. Apparently the code has
    since been vetted or replaced, though the page still looks
    a little weird formatting wise. I suspect a slightly
    munged CSS file.

    At some point SQL people will have to start using

    String q = "SELECT INFORMATION FROM A_RELATION WHERE KEY = ?";
    or
    String q = "SELECT INFORMATION FROM A_RELATION WHERE KEY = :1";

    and set a parameter (in Java, it's setString() on a
    PreparedStatement; I'd have to look regarding PHP or
    Python) as opposed to

    String q = "SELECT INFORMATION FROM A_RELATION WHERE KEY = " + k;

    That way, a semicolon in 'k' won't bodge up the works.

    As for AV, all that does is slow things down and recognize
    known attacks. It's better than nothing but isn't it
    even better to build a solid (metaphorical) wall rather
    than a wall of tissue paper and throw program recognition
    software in order to find rogue programs?

    --
    #191, ewill3@earthlink.net
    Insert random misquote here.

    --
    Posted via a free Usenet account from http://www.teranews.com


  7. Re: SQL Injection Attack Infects Thousands of Websites

    On 2008-01-10, Peter Köhlmann wrote:
    > http://www.modsecurity.org/blog/
    >
    > Well, well
    >
    > Didn't Erik F tell us just lately that there are no security holes for IIS?
    >
    > And don't the wintrolls fall over themselves asserting that they browse
    > completely secure because they use "AV" (that fairy dust potion which
    > averts "malware")


    Last time I checked, and SQL Injection attack is not an IIS
    vulnerability... It is a vulnerability in the web app it's self.

    --
    Tom Shelton

  8. Re: SQL Injection Attack Infects Thousands of Websites

    Tom Shelton wrote:

    > On 2008-01-10, Peter Köhlmann wrote:
    >> http://www.modsecurity.org/blog/
    >>
    >> Well, well
    >>
    >> Didn't Erik F tell us just lately that there are no security holes for
    >> IIS?
    >>
    >> And don't the wintrolls fall over themselves asserting that they browse
    >> completely secure because they use "AV" (that fairy dust potion which
    >> averts "malware")

    >
    > Last time I checked, and SQL Injection attack is not an IIS
    > vulnerability... It is a vulnerability in the web app it's self.
    >


    Last time I checked Erik Funkenbusch held Apache liable for similar attacks.

    Why the double standards now?
    Because Erik F is a lying astroturfer, and defends wintendo?
    --
    Hardware, n.:
    The parts of a computer system that can be kicked.


  9. Re: SQL Injection Attack Infects Thousands of Websites

    On 2008-01-10, Peter Köhlmann wrote:
    > Tom Shelton wrote:
    >
    >> On 2008-01-10, Peter Köhlmann wrote:
    >>> http://www.modsecurity.org/blog/
    >>>
    >>> Well, well
    >>>
    >>> Didn't Erik F tell us just lately that there are no security holes for
    >>> IIS?
    >>>
    >>> And don't the wintrolls fall over themselves asserting that they browse
    >>> completely secure because they use "AV" (that fairy dust potion which
    >>> averts "malware")

    >>
    >> Last time I checked, and SQL Injection attack is not an IIS
    >> vulnerability... It is a vulnerability in the web app it's self.
    >>

    >
    > Last time I checked Erik Funkenbusch held Apache liable for similar attacks.
    >


    If that's the case, then Erik is incorrect. The problem is most likely
    programmer error.

    > Why the double standards now?


    I hope you're not refering to me there. I wouldn't blame apache for
    this sort of thing...

    --
    Tom Shelton

  10. Re: SQL Injection Attack Infects Thousands of Websites

    Tom Shelton wrote:

    > On 2008-01-10, Peter Köhlmann wrote:
    >> Tom Shelton wrote:
    >>
    >>> On 2008-01-10, Peter Köhlmann wrote:
    >>>> http://www.modsecurity.org/blog/
    >>>>
    >>>> Well, well
    >>>>
    >>>> Didn't Erik F tell us just lately that there are no security holes for
    >>>> IIS?
    >>>>
    >>>> And don't the wintrolls fall over themselves asserting that they browse
    >>>> completely secure because they use "AV" (that fairy dust potion which
    >>>> averts "malware")
    >>>
    >>> Last time I checked, and SQL Injection attack is not an IIS
    >>> vulnerability... It is a vulnerability in the web app it's self.
    >>>

    >>
    >> Last time I checked Erik Funkenbusch held Apache liable for similar
    >> attacks.
    >>

    >
    > If that's the case, then Erik is incorrect.


    He is. Yet he blames Apache, while at the same time claiming that IIS has
    had no problems

    > The problem is most likely programmer error.


    Maybe


    >> Why the double standards now?

    >
    > I hope you're not refering to me there. I wouldn't blame apache for
    > this sort of thing...
    >


    Still, the second part of my question still stands:
    "And don't the wintrolls fall over themselves asserting that they browse
    completely secure because they use "AV" (that fairy dust potion which
    averts "malware")"

    The wintendo lovers were so eerily silent on that one, given that they were
    just served *another* (it was far from a first time) example of how malware
    reaches their precious Toys-R-Us-machines
    --
    Hardware, n.:
    The parts of a computer system that can be kicked.


  11. Re: SQL Injection Attack Infects Thousands of Websites

    On Thu, 10 Jan 2008 11:59:54 +0100, Peter Köhlmann wrote:

    > How come that Erik Funkenbusch tells us that there are no security holes for
    > IIS?


    I don't know. Since I never said that, it would be kind of odd.

    > And this report tells us that there are


    No, it doesn't. It says that applications running under IIS have a common
    flaw that affects every web server that provides some form of
    programmability, short of having a sanitizing firewall in front of it.

    I've said that IIS6 has not had any critical flaws so far in it's 5 year
    existence. I've said that Apache has had numerous critical flaws in that
    same timeframe.

    What I have not said is that IIS has no flaws, nor have I said that
    applications running under IIS cannot have flaws.

    Why are you lying aboout what i've said?

  12. Re: SQL Injection Attack Infects Thousands of Websites

    On Thu, 10 Jan 2008 14:52:09 -0600, Tom Shelton wrote:

    >> Last time I checked Erik Funkenbusch held Apache liable for similar attacks.

    >
    > If that's the case, then Erik is incorrect. The problem is most likely
    > programmer error.


    That's not the case. I didn't say that.

  13. Re: SQL Injection Attack Infects Thousands of Websites

    On Thu, 10 Jan 2008 22:20:14 +0100, Peter Köhlmann wrote:

    >> If that's the case, then Erik is incorrect.

    >
    > He is. Yet he blames Apache, while at the same time claiming that IIS has
    > had no problems


    So, you're changing your story now. Now you claim that I said "IIS has had
    no problems", where before you claimed I said IIS doesn't have any flaws.

    Of course I never said of those, though I have said that IIS6 has not had
    any critical vulnerabilities.

    And I don't, nore have I ever blamed Apache for a flaw in a user web
    application. Flaws in modules that ship with Apache, sure, but not user
    web apps.

    You're lying peter. Prove that I said what you are claiming. You won't,
    of course, because you can't. That won't stop you from pretending
    otherwise, though.

  14. Re: SQL Injection Attack Infects Thousands of Websites

    On Jan 10, 8:48*pm, Erik Funkenbusch
    wrote:
    > On Thu, 10 Jan 2008 14:52:09 -0600, Tom Shelton wrote:
    > >> Last time I checked Erik Funkenbusch held Apache liable for similar attacks.

    >
    > > If that's the case, then Erik is incorrect. *The problem is most likely
    > > programmer error.

    >
    > That's not the case. *I didn't say that.


    I didn't say you did. I just said "if" you said that... Though, I
    probably should have qualified that statement to make it more clear.

    --
    Tom Shelton

  15. Re: SQL Injection Attack Infects Thousands of Websites

    Erik Funkenbusch wrote:

    > On Thu, 10 Jan 2008 22:20:14 +0100, Peter Köhlmann wrote:
    >
    >>> If that's the case, then Erik is incorrect.

    >>
    >> He is. Yet he blames Apache, while at the same time claiming that IIS has
    >> had no problems

    >
    > So, you're changing your story now. Now you claim that I said "IIS has
    > had no problems", where before you claimed I said IIS doesn't have any
    > flaws.
    >
    > Of course I never said of those, though I have said that IIS6 has not had
    > any critical vulnerabilities.
    >
    > And I don't, nore have I ever blamed Apache for a flaw in a user web
    > application.



    Quit lying, Erik. I know, it is nearly impossible, being addicted and that,
    but at least try it

    --
    Microsoft: which revised Eula do you want to accept today?


  16. Re: SQL Injection Attack Infects Thousands of Websites

    Erik Funkenbusch wrote:

    > On Thu, 10 Jan 2008 11:59:54 +0100, Peter Köhlmann wrote:
    >
    >> How come that Erik Funkenbusch tells us that there are no security holes
    >> for IIS?

    >
    > I don't know. Since I never said that, it would be kind of odd.
    >
    >> And this report tells us that there are

    >
    > No, it doesn't. It says that applications running under IIS have a common
    > flaw that affects every web server that provides some form of
    > programmability, short of having a sanitizing firewall in front of it.
    >
    > I've said that IIS6 has not had any critical flaws so far in it's 5 year
    > existence. I've said that Apache has had numerous critical flaws in that
    > same timeframe.
    >
    > What I have not said is that IIS has no flaws, nor have I said that
    > applications running under IIS cannot have flaws.
    >
    > Why are you lying aboout what i've said?


    I don't, because you did

    --
    Windows isn't unstable. It's spontaneous.


  17. Re: SQL Injection Attack Infects Thousands of Websites

    On Fri, 11 Jan 2008 09:36:37 +0100, Peter Köhlmann wrote:

    > Erik Funkenbusch wrote:
    >
    >> On Thu, 10 Jan 2008 11:59:54 +0100, Peter Köhlmann wrote:
    >>
    >>> How come that Erik Funkenbusch tells us that there are no security holes
    >>> for IIS?

    >>
    >> I don't know. Since I never said that, it would be kind of odd.
    >>
    >>> And this report tells us that there are

    >>
    >> No, it doesn't. It says that applications running under IIS have a common
    >> flaw that affects every web server that provides some form of
    >> programmability, short of having a sanitizing firewall in front of it.
    >>
    >> I've said that IIS6 has not had any critical flaws so far in it's 5 year
    >> existence. I've said that Apache has had numerous critical flaws in that
    >> same timeframe.
    >>
    >> What I have not said is that IIS has no flaws, nor have I said that
    >> applications running under IIS cannot have flaws.
    >>
    >> Why are you lying aboout what i've said?

    >
    > I don't, because you did


    Stellar comeback there.

    "I'm rubber and you're glue"

    What are you? 10?

    Provide a reference.

  18. Re: SQL Injection Attack Infects Thousands of Websites

    Erik Funkenbusch wrote:

    > On Fri, 11 Jan 2008 09:36:37 +0100, Peter Köhlmann wrote:
    >
    >> Erik Funkenbusch wrote:
    >>
    >>> On Thu, 10 Jan 2008 11:59:54 +0100, Peter Köhlmann wrote:
    >>>
    >>>> How come that Erik Funkenbusch tells us that there are no security
    >>>> holes for IIS?
    >>>
    >>> I don't know. Since I never said that, it would be kind of odd.
    >>>
    >>>> And this report tells us that there are
    >>>
    >>> No, it doesn't. It says that applications running under IIS have a
    >>> common flaw that affects every web server that provides some form of
    >>> programmability, short of having a sanitizing firewall in front of it.
    >>>
    >>> I've said that IIS6 has not had any critical flaws so far in it's 5 year
    >>> existence. I've said that Apache has had numerous critical flaws in
    >>> that same timeframe.
    >>>
    >>> What I have not said is that IIS has no flaws, nor have I said that
    >>> applications running under IIS cannot have flaws.
    >>>
    >>> Why are you lying aboout what i've said?

    >>
    >> I don't, because you did

    >
    > Stellar comeback there.
    >
    > "I'm rubber and you're glue"
    >
    > What are you? 10?
    >
    > Provide a reference.


    No. You are by now held to the "flatfish standard". That is, *no* references
    if demanded. Deny it all you want, you *did* say so. You did claim that
    there were no such problems with IIS. You often mentioned how bad Apache
    compares with IIS.

    Come on, deny it all you want. Are you really that thick to believe that all
    the other posters here don't remember as well?

    Pathetic, Erik. You sink deeper and deeper with your constant lies
    --
    Your conscience never stops you from doing anything. It just stops you
    from enjoying it.


  19. Re: SQL Injection Attack Infects Thousands of Websites

    On Fri, 11 Jan 2008 17:21:22 +0100, Peter Köhlmann wrote:

    > Erik Funkenbusch wrote:
    >
    >> On Fri, 11 Jan 2008 09:36:37 +0100, Peter Köhlmann wrote:
    >>
    >>> Erik Funkenbusch wrote:
    >>>
    >>>> On Thu, 10 Jan 2008 11:59:54 +0100, Peter Köhlmann wrote:
    >>>>
    >>>>> How come that Erik Funkenbusch tells us that there are no security
    >>>>> holes for IIS?
    >>>>
    >>>> I don't know. Since I never said that, it would be kind of odd.
    >>>>
    >>>>> And this report tells us that there are
    >>>>
    >>>> No, it doesn't. It says that applications running under IIS have a
    >>>> common flaw that affects every web server that provides some form of
    >>>> programmability, short of having a sanitizing firewall in front of it.
    >>>>
    >>>> I've said that IIS6 has not had any critical flaws so far in it's 5 year
    >>>> existence. I've said that Apache has had numerous critical flaws in
    >>>> that same timeframe.
    >>>>
    >>>> What I have not said is that IIS has no flaws, nor have I said that
    >>>> applications running under IIS cannot have flaws.
    >>>>
    >>>> Why are you lying aboout what i've said?
    >>>
    >>> I don't, because you did

    >>
    >> Stellar comeback there.
    >>
    >> "I'm rubber and you're glue"
    >>
    >> What are you? 10?
    >>
    >> Provide a reference.

    >
    > No. You are by now held to the "flatfish standard". That is, *no* references
    > if demanded. Deny it all you want, you *did* say so. You did claim that
    > there were no such problems with IIS. You often mentioned how bad Apache
    > compares with IIS.


    So in other words, you now claim the right to say anything about anyone
    without any evidence to back it up, and expect people to believe you.

    Wow, you're pretty full of yourself, aren't you?

    Whatever you may think about me or my comments doesn't give you the right
    to claim omnipotence and exclusion from proving your claim.

    You *MIGHT* have a rational argument if you were responding to something I
    said, but instead you are the one making the initial claim here, and the
    burden of providing evidence on that, regardless of who it is, is up to
    you.

    Since you initiated the claim, you have to prove it.

    > Come on, deny it all you want. Are you really that thick to believe that all
    > the other posters here don't remember as well?


    Nobody has yet come to back you up. Anyone? Beuller?

    > Pathetic, Erik. You sink deeper and deeper with your constant lies


    Of the two of us, that term seems to apply more to you.

  20. Re: SQL Injection Attack Infects Thousands of Websites

    Erik Funkenbusch writes:

    > On Fri, 11 Jan 2008 17:21:22 +0100, Peter Köhlmann wrote:
    >>
    >> No. You are by now held to the "flatfish standard". That is, *no* references
    >> if demanded. Deny it all you want, you *did* say so. You did claim that
    >> there were no such problems with IIS. You often mentioned how bad Apache
    >> compares with IIS.

    >
    > So in other words, you now claim the right to say anything about anyone
    > without any evidence to back it up, and expect people to believe you.


    Now? He has ALWAYS refused to back up any of his made claims. The man is
    possibly a psychopath.

    >
    > Wow, you're pretty full of yourself, aren't you?
    >
    > Whatever you may think about me or my comments doesn't give you the right
    > to claim omnipotence and exclusion from proving your claim.
    >
    > You *MIGHT* have a rational argument if you were responding to something I
    > said, but instead you are the one making the initial claim here, and the
    > burden of providing evidence on that, regardless of who it is, is up to
    > you.
    >
    > Since you initiated the claim, you have to prove it.
    >
    >> Come on, deny it all you want. Are you really that thick to believe that all
    >> the other posters here don't remember as well?

    >
    > Nobody has yet come to back you up. Anyone? Beuller?


    spike1 will be along shortly with probing tongue.

    >
    >> Pathetic, Erik. You sink deeper and deeper with your constant lies

    >
    > Of the two of us, that term seems to apply more to you.


    Peter is one of the foulest and vile of the COLA advocates. Truth is no
    barrier to Peter's crazier ideas. As a Windows programmer by die, he
    STILL refuses to believe he is a Windows "user". He IS that much of a
    liar and a fraud.

+ Reply to Thread
Page 1 of 2 1 2 LastLast