Wednesday, October 14, 2009

Google & MVPs

For those who don't know who Jon Skeet is, he is an excellent contributor to the C# community, through his daily answering of questions on Stack Overflow, to his many excellent articles and books. Jon recently posted that his employer has asked him to turn down the MVP reward for this year.

What employer wouldn't want their employees to be recognized as community leaders in Microsoft Technologies? Google for one, as they are Jon's current employer. Jon won't comment on why this is so it leaves us to speculate what the reasons might be. Even if there is a sensible reason for this the silence lets myself feel that this is due to the competition between the two companies. That has definitely soured my opinion about Google and its Management team.

Thursday, October 1, 2009

Just trust me!!

Today I was working with my intern, we are using DotNetNuke to run a marketing site so that our product team can go in and tweak some things. We have custom workflow in there, and a requirement that we want to save the results of the workflow into our own table so we can report on it latter.

The workflow component has some facilities to do this, so he creates a table and a stored proc, and gives it a shot. He is instantly greated with a lovely error in the front end Invalid Syntax Near xyz

I tell him that's not good, as it indicates a potential for a Sql injection attack. Fast forward three hours, and he is arguing with me that its safe, that it can't be injected, and demands I prove to him it can be done.

Not wanting to take the time or effort to figure out the magic sequence, as this isn't something I do everyday (Contrary to popular belief, I don't sit around trying to hack). I tell him to trust me, parsing errors are easy to inject into. He doesn't buy it, and I can see he is going to be stubborn until I prove him wrong.

Fast forward ten minutes, and I found that injecting with this forms component was as simple as entering a string like the following for the last field:

injectComing' select * from aspnet_users--
Watching with profiler, we quickly saw three key events. First was a Batch Starting which looked something like this:
exec myProc '','','','injectComing' select*from aspnet_users--';
Second was SQL Stmt Starting Event:
exec myProc '','','','injectComing'
Third was another Sql Stmt Starting Event:
select*from aspnet_users--';
Needless to say now he is working on a costume module so we can execute the Sql as a parameterized query and avoid all this ass ache. Moral of the story? While you shouldn't always trust everyone, you should trust your boss who has 10 more years of experience. And if you don't you try and prove him wrong, don't demand your boss to prove himself.


Gahh Interns!