The ultimate in usability, user friendly SQL Injection


Just a quick post today to introduce the first exhibit in the hall of software horrors. I won’t name the six-figure ERP package this gem came from, but based on my experience so far you will probably be seeing more of it.

During a routine import of employee data into our brand new system the importer UI choked apparently based on some table validation. What is interesting is that its response was to dutifully show me the SQL statement that failed and ask the user to fix it and resubmit.

The SQL Injection Attack Wizard

The SQL Injection Attack Wizard

 

Notes and Disclaimers:

  • Although it clearly looks like it. This is NOT a homegrown system. It is a commercially available and expensive COTS ERP package.
  • The yellow window background isn’t their fault. We configured the software this way for the test environment to make it obvious you weren’t working in production.
  • I have no idea what the “Ou” refers to in the SQL_Statement box, normally this screen shows the SQL statement that failed.
  • Admittedly, the UI is for importing data into the system which implies the user had some rights to modify data anyway, but allowing the user to run arbitrary SQL in privileged mode is still quite scary.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: