The Sun Reporting Murdock Dead - Contractor UK Bulletin Board

Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!

You are not logged in or you do not have permission to access this page. This could be due to one of several reasons:

You are not logged in. If you are already registered, fill in the form below to log in, or follow the "Sign Up" link to register a new account.
You may not have sufficient privileges to access this page. Are you trying to edit someone else's post, access administrative features or some other privileged system?
If you are trying to post, the administrator may have disabled your account, or it may be awaiting activation.

MarillionFan replied

20 July 2011, 21:53
Duh!
Leave a comment:
NickFitz replied

19 July 2011, 13:21
Originally posted by NickFitz View Post

Hmm...

And on that subject: Choosing a bad password, the Rebekah Wade way
Leave a comment:
DaveB replied

19 July 2011, 12:59
Originally posted by PinkPoshRat View Post

hmm, thanks that's got me sold on the idea of what to learn when I start on my new contract. I shall attempt to learn SQL

I know jack about SQL. I hope it fairly easy to learn from CBT stuff?

It's easy to learn to do it badly

Actually it's pretty easy to learn to do it well too (from a security standpoint), it's just more work so people don't bother / think about it.

Bounds checking, exception handling, escaping control characters, filtering key words etc is all simple stuff, it just makes the job take longer. Most os that actually gets done on the front end though, rather than at the database SQL level.

Last edited by DaveB; 19 July 2011, 13:05.
Leave a comment:
Pondlife replied

19 July 2011, 12:57
Originally posted by Zippy View Post

Nah. This is porn

I keep clicking and the linky does nothing! WHY? Why would you do that to us?
Leave a comment:
Bunk replied

19 July 2011, 12:57
Originally posted by Zippy View Post

Nah. This is porn
Leave a comment:
Zippy replied

19 July 2011, 12:55
Originally posted by Bunk View Post

It's not proper porn though is it?

Nah. This is porn
Leave a comment:
Zippy replied

19 July 2011, 12:54
I think the Grauniad suggested there was a vulnerability in the Sun's "comment on this article" form, which could have allowed any SQL entered (as opposed to the usual 'i luv katie i think shes fab lol!') to be executed. The implication is that the Sun's web app passed this to the database without checking it first.
Leave a comment:
PinkPoshRat replied

19 July 2011, 12:53
hmm, thanks that's got me sold on the idea of what to learn when I start on my new contract. I shall attempt to learn SQL

I know jack about SQL. I hope it fairly easy to learn from CBT stuff?
Leave a comment:
Bunk replied

19 July 2011, 12:51
Originally posted by DodgyAgent View Post

It may be unfashionable to think it or say it but anyone who has helped to break the power of the Unions,to question the sanctity of the BBC and socialism in general (and introduce porn to TV)
is OK by me

It's not proper porn though is it?
Leave a comment:
DodgyAgent replied

19 July 2011, 12:48
It may be unfashionable to think it or say it but anyone who has helped to break the power of the Unions,to question the sanctity of the BBC and socialism in general (and introduce porn to TV)
is OK by me
Leave a comment:
Bunk replied

19 July 2011, 12:47
An example of cross site scripting would be if we could write <script type="javascript/text">alert('hello');</script> in a post and then when people viewed the thread the javascript was executed. This example would be harmless but it could do far nastier stuff like sending your session information off to someone who could then use it to pretend to be you.
Leave a comment:
Sockpuppet replied

19 July 2011, 12:42
Originally posted by PinkPoshRat View Post

someone please try to explain to me what an XSS attack is, in plain English please!

I'm guessing the 'SQL injection' means the database has stuff added to it?

XSS = Force one site to load infected info from another site. I.e. by having a security bug in a flash advert on your site and another site loads that you can infect users without taking over control of the other site.

SQL Inject = instead of your name write "SELECT * user_perms;" etc etc to read user info. A badly written website wouldn't escape that and instead of trying to insert your name in a comments form would insert the SQL you had written which the server will duly run.
Leave a comment:
zeitghost replied

19 July 2011, 12:33
Don't worry, I don't know what they're talking about either.

If its got more than 4k of memory and you don't program it in assembler, I start getting panic attacks.
Leave a comment:
PinkPoshRat replied

19 July 2011, 12:27
someone please try to explain to me what an XSS attack is, in plain English please!

I'm guessing the 'SQL injection' means the database has stuff added to it?

I'm loving all of this twice as much as you guys are, not only is this all the best news story ever, but for me to try and understand what you're talking about is good fun too!!
Leave a comment:
DaveB replied

19 July 2011, 11:45
Originally posted by fullyautomatix View Post

If it was such a complete control of the server/CMS/file system whatever, why didnt they just modify the home page of "Sun" and put the story up there ? Why a redirect? and why not a server side redirect rather than a client redirect ?

Probably because they had complete control of the new-times.co.uk site and could do what they wanted with it, all they could do on the main Sun site was mess with it via the CMS.

Last edited by DaveB; 19 July 2011, 11:49.
Leave a comment: