Just a quick post today to introduce the first exhibit in the hall of software horrors. I won’t name the six-figure ERP package this gem came from, but based on my experience so far you will probably be seeing more of it.
During a routine import of employee data into our brand new system the importer UI choked apparently based on some table validation. What is interesting is that its response was to dutifully show me the SQL statement that failed and ask the user to fix it and resubmit.
The SQL Injection Attack Wizard
Notes and Disclaimers:
- Although it clearly looks like it. This is NOT a homegrown system. It is a commercially available and expensive COTS ERP package.
- The yellow window background isn’t their fault. We configured the software this way for the test environment to make it obvious you weren’t working in production.
- I have no idea what the “Ou” refers to in the SQL_Statement box, normally this screen shows the SQL statement that failed.
- Admittedly, the UI is for importing data into the system which implies the user had some rights to modify data anyway, but allowing the user to run arbitrary SQL in privileged mode is still quite scary.
Filed under: The Software Blooper Reel | Leave a comment »
Improving Software 