Bug 451084 - SQL Inject me failure internal server 500 error
SQL Inject me failure internal server 500 error
Status: CLOSED NOTABUG
Product: Red Hat Collaboration Applications
Classification: Retired
Component: Wordpress (Show other bugs)
1.0
All Linux
low Severity low
: ---
: ---
Assigned To: Bret McMillan
srividya rapur
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-06-12 14:10 EDT by Ricky Broadnax
Modified: 2008-10-06 12:35 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-08-22 12:29:41 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
SQL Inject Me Widgets Failure Screenshoot (451.52 KB, image/png)
2008-06-12 14:11 EDT, Ricky Broadnax
no flags Details

  None (edit)
Description Ricky Broadnax 2008-06-12 14:10:26 EDT
Description of problem:SQL Inject me failure internal server 500 error


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. log into: https://propaganda-wpmu-bretm-virt2.usersys.redhat.com/wp-admin/

2.  Logged in as admin/redhat
3.  Clicked the Syndication link
4.  Ran the SQL Inject Me automated testing tool which resulted in the failure
indicated in the attached file.


  
Actual results: Test Failure (1)


Expected results:


Additional info:
Comment 1 Ricky Broadnax 2008-06-12 14:11:36 EDT
Created attachment 309119 [details]
SQL Inject Me Widgets Failure Screenshoot
Comment 2 Ricky Broadnax 2008-06-12 14:24:24 EDT
Steps to Reproduce: 

Change step 2 to read: Clicked the Design - Widgets link
Comment 3 Bret McMillan 2008-06-12 14:36:57 EDT
Ricky, if I interpret the screenshot correctly, it's stating just that the page
returned a "bad error code" of 500 (Internal Server Error) when we tried to do
something naughty.  While not pretty, it's a reasonable response to a corner
case like a sql injection attack, provided that "nothing bad" happened to
anything at the data persistence level.

What sql did we actually try to inject, and what gives us the impression that
the attack was successful?
Comment 4 Steve Milner 2008-06-16 09:43:29 EDT
Bret,

I think what they are trying to say is that there *could* be an issue there
since it gave a 500 ... so if it was successful or not, they are not sure, but
they wanted to let you know so you could check it.
Comment 5 David Lawrence 2008-10-06 12:35:02 EDT
Moving to product "Red Hat Collaboration Applications".

Note You need to log in before you can comment on or make changes to this bug.