| TIP: Click on subject to list as thread! | ANSI |
| echo: | |
|---|---|
| to: | |
| from: | |
| date: | |
| subject: | Pentest hack.. |
From: Ad OK...we're deploying a webservice & esp wrt the recent fun & games wrt NHS systems up on't net & the security associated e.g. http://news.bbc.co.uk/1/hi/uk_politics/6594111.stm "The Department of Health has apologised for an apparent security lapse which allowed the personal details of junior doctors to be accessed online. Channel 4 News reported that a breach on the NHS Medical Training Application Service website allowed public access for at least eight hours. The department said the details had only been available briefly, and only to people making employment checks. Shadow health secretary Andrew Lansley said it was shocking and unacceptable. On Wednesday, Channel 4 News reported that a doctor had alerted them to a security breach allowing confidential details to be accessed. " So we're having our systems comprehensively pentested prior to public availability anyway... neat SQL injection imagine a system which is eval'ing a user against a db using SQL std 1st line of SQL = "Select * from tableX where fieldA ='" e.g. tableX = "user" & fieldA = userID but it doesn't really matter as the system is basically looking for a boolean & if true let him in & give him a sessionId..... So.....fieldA value posted in form the webform = ' or 1=1 -- Neat. Adam --- BBBS/NT v4.01 Flag-5* Origin: Barktopia BBS Site http://HarborWebs.com:8081 (1:379/45) SEEN-BY: 633/267 @PATH: 379/45 1 633/267 |
|
| SOURCE: echomail via fidonet.ozzmosis.com | |
Email questions or comments to sysop@ipingthereforeiam.com
All parts of this website painstakingly hand-crafted in the U.S.A.!
IPTIA BBS/MUD/Terminal/Game Server List, © 2025 IPTIA Consulting™.