Bug 637402 - (sqlninja) Review Request: sqlninja - A tool for SQL server injection and takeover
Review Request: sqlninja - A tool for SQL server injection and takeover
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: Package Review (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Hicham HAOUARI
Fedora Extras Quality Assurance
: Reopened
Depends On: perl-NetPacket
Blocks: FE-SECLAB
  Show dependency treegraph
 
Reported: 2010-09-25 10:31 EDT by Arun S A G
Modified: 2014-09-26 08:03 EDT (History)
11 users (show)

See Also:
Fixed In Version: sqlninja-0.2.6-0.2.rc2.fc16
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-09-24 23:31:39 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
hicham.haouari: fedora‑review+
limburgher: fedora‑cvs+


Attachments (Terms of Use)

  None (edit)
Description Arun S A G 2010-09-25 10:31:27 EDT
Spec URL: http://sagarun.fedorapeople.org/SPECS/sqlninja.spec
SRPM URL: http://sagarun.fedorapeople.org/SRPMS/sqlninja-0.2.5-1.fc13.src.rpm
Description: 
Sqlninja is a tool targeted to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end. Its main goal
is to provide remote access to vulnerable DB server.
Comment 1 Hicham HAOUARI 2010-09-29 17:49:24 EDT
As per our discussion on IRC, I will look If the binary can be built on Fedora. Otherwise, I don't think we can ship them.
Comment 2 Arun S A G 2010-09-30 14:30:24 EDT
Now binaries are no longer included.

Spec URL: http://sagarun.fedorapeople.org/SPECS/sqlninja.spec
SRPM URL: http://sagarun.fedorapeople.org/SRPMS/sqlninja-0.2.5-2.fc13.src.rpm
Comment 3 Arun S A G 2010-10-03 22:18:56 EDT
Ok , i removed all the binary files. What about including text files in http://sqlninja.svn.sourceforge.net/viewvc/sqlninja/scripts/ ? Any clues? Is it allowed to include those *.scr files?
Comment 4 Hicham HAOUARI 2010-10-04 05:21:23 EDT
I would like to have Fedora Legal point of view on this before starting a review. Maybe we should cc spot.
Comment 5 Arun S A G 2010-10-04 16:41:49 EDT
(In reply to comment #4)
> I would like to have Fedora Legal point of view on this before starting a
> review. Maybe we should cc spot.

Yes. Please do. How long it takes for Fedora-Legal folks to respond?
Comment 6 Arun S A G 2010-10-16 11:15:04 EDT
ping.
Comment 7 Hicham HAOUARI 2010-10-17 12:43:14 EDT
No answer from FE-LEGAL yet.
Comment 8 d. johnson 2010-11-14 00:28:10 EST
See https://fedoraproject.org/wiki/Meeting:Board_meeting_2010-11-08#Basic_Information_2 for reference.

"# We won't allow the SQLninja package to be added to Fedora. (unanimous) "
Comment 9 Arun S A G 2010-11-14 01:08:20 EST
(In reply to comment #8)
> See
> https://fedoraproject.org/wiki/Meeting:Board_meeting_2010-11-08#Basic_Information_2
> for reference.
> 
> "# We won't allow the SQLninja package to be added to Fedora. (unanimous) "

Ok.
Comment 10 Tom "spot" Callaway 2010-11-15 08:58:18 EST
Reopening, as it is likely that the board will consider this again.
Comment 11 Tom "spot" Callaway 2011-02-21 16:42:25 EST
Upon further review, the Legal block on sqlninja is lifted.
Comment 12 Hicham HAOUARI 2011-02-21 18:59:54 EST
Thank you spot, I will review this package ASAP
Comment 13 Hicham HAOUARI 2011-02-21 20:09:51 EST
@Arun,

Did you try to build the winodws binaries using mingw ?
Comment 14 Hicham HAOUARI 2011-02-21 21:17:51 EST
hmm, Churrasco binary depends on DTC stuff which can't be shipped in fedora.
Comment 15 Hicham HAOUARI 2011-03-21 19:51:35 EDT
@Arun,

The software would be still useful without the binaries ?
Comment 16 Arun S A G 2011-03-21 23:24:31 EDT
(In reply to comment #15)
> @Arun,
> 
> The software would be still useful without the binaries ?

Yes! The software supports multiple modes, one of the mode is upload mode. Binaries are required for only upload mode. If the user wants to use upload mode, he can manually download these binaries.

Also please look into the scripts directory, the files under the scripts directory qualify as a binary?
Comment 17 Hicham HAOUARI 2011-03-22 07:27:23 EDT
(In reply to comment #16)
> (In reply to comment #15)
> > @Arun,
> > 
> > The software would be still useful without the binaries ?
> 
> Yes! The software supports multiple modes, one of the mode is upload mode.
> Binaries are required for only upload mode. If the user wants to use upload
> mode, he can manually download these binaries.
> 
> Also please look into the scripts directory, the files under the scripts
> directory qualify as a binary?

Of course not.

I am not sure if the tarball needs to be cleaned up from the binaries though, I will look more into that.
Comment 18 Hicham HAOUARI 2011-06-14 10:22:09 EDT
* BuildRoot and %clean are no longer needed unless you want use the spec in EPEL
* %{_sysconfdir}/%{name}.conf is listed twice
* License is GPLv2+
* Only Churrasco source have unclear license, so we need to ship a cleaned up tarball
* The other two binaries can be built on Fedora, and thus can be shipped, I will help with that if needed
Comment 19 Arun S A G 2011-07-03 08:33:31 EDT
Hi Hicham,

I reviewed this package. 

1. There seems to be a mismatch in fsf address, i have asked the upstream to fix that https://sourceforge.net/tracker/?func=detail&aid=3351225&group_id=152677&atid=785062

2. I don't see source code for nc.exe (netcat). 

How are you planning on to cross compile the payloads? mingw32?
Comment 21 Hicham HAOUARI 2011-07-10 06:46:44 EDT
(In reply to comment #19)
> Hi Hicham,
> 
> I reviewed this package. 
> 
> 1. There seems to be a mismatch in fsf address, i have asked the upstream to
> fix that
> https://sourceforge.net/tracker/?func=detail&aid=3351225&group_id=152677&atid=785062
> 
> 2. I don't see source code for nc.exe (netcat). 
> 
> How are you planning on to cross compile the payloads? mingw32?

Yes, and it will be a separate package
Comment 22 Arun S A G 2011-08-26 01:35:51 EDT
ping?
Comment 23 Hicham HAOUARI 2011-08-26 09:49:03 EDT
(In reply to comment #22)
> ping?

The spec looks fine. So it is

APPROVED
Comment 24 Arun S A G 2011-08-26 14:04:50 EDT
New Package SCM Request
=======================
Package Name: sqlninja
Short Description: A tool for SQL server injection and takeover
Owners: sagarun
Branches: F-14 F-15 F-16
InitialCC: shakthimaan
Comment 25 Jon Ciesla 2011-08-26 14:35:13 EDT
Git done (by process-git-requests).
Comment 26 Fedora Update System 2011-09-04 01:08:16 EDT
sqlninja-0.2.6-0.2.rc2.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/sqlninja-0.2.6-0.2.rc2.fc14
Comment 27 Fedora Update System 2011-09-04 01:09:40 EDT
sqlninja-0.2.6-0.2.rc2.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/sqlninja-0.2.6-0.2.rc2.fc15
Comment 28 Fedora Update System 2011-09-04 01:10:50 EDT
sqlninja-0.2.6-0.2.rc2.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/sqlninja-0.2.6-0.2.rc2.fc16
Comment 29 Fedora Update System 2011-09-06 14:11:05 EDT
sqlninja-0.2.6-0.2.rc2.fc16 has been pushed to the Fedora 16 testing repository.
Comment 30 Fedora Update System 2011-09-24 23:31:32 EDT
sqlninja-0.2.6-0.2.rc2.fc14 has been pushed to the Fedora 14 stable repository.
Comment 31 Fedora Update System 2011-09-24 23:51:23 EDT
sqlninja-0.2.6-0.2.rc2.fc15 has been pushed to the Fedora 15 stable repository.
Comment 32 Fedora Update System 2011-09-30 14:42:45 EDT
sqlninja-0.2.6-0.2.rc2.fc16 has been pushed to the Fedora 16 stable repository.
Comment 33 Fabian Affolter 2014-09-25 15:10:57 EDT
Package Change Request
======================
Package Name: sqlninja
New Branches: el6 epel7
Owners: fab
InitialCC:
Comment 34 Jon Ciesla 2014-09-26 08:03:05 EDT
Git done (by process-git-requests).

Note You need to log in before you can comment on or make changes to this bug.