Re: Google knows everything

To: "vdongen" <vdongen@hetisw.nl>
Cc: debian-curiosa@lists.debian.org, webmaster@googlism.com
Subject: Re: Google knows everything
From: Ullrich Jans <ujans@ullisys.pond.sub.org>
Date: 10 Nov 2002 11:51:26 +0100
Message-id: <[🔎] 87smy9ofyp.fsf@ullisys.pond.sub.org>
In-reply-to: <[🔎] 20021108100455.7543C14E0EC@borg.kabelfoon.nl>
References: <[🔎] 20021108100455.7543C14E0EC@borg.kabelfoon.nl>

"vdongen" <vdongen@hetisw.nl> writes:

> I wanted to know where the city I live in is:
> 
> Googlism for: 's-gravenzande
> 
> MYSQL Error in query:
> INSERT INTO googlism (ism,alpha,date,type) VALUES ('\'s-
> gravenzande', ''', now(), '3')
> Error: You have an error in your SQL syntax. Check the manual that 
> corresponds to your MySQL server version for the right syntax to use 
> near '3')' at line 1 
> 
> nice :)

Really nice. 

The problem here is, this is a potential security breach. I didn't
look further into it, but I think this could be exploited rather
trivially to execute shell code as the user the query runs under. Form
there an attacker could run some local exploit and gain root...

This should be looked into by the webmaster of googlism (CC'ed) ASAP!

Regards, Ulli

-- 
Ullrich Jans                           Eichenstrasse 4
Tel: +49 89 74427834                   82024 Taufkirchen
Usenet: ujans@ullisys.pond.sub.org     RealUlli@IRC

Reply to:

Follow-Ups:
- Re: Google knows everything
  - From: Alexander Hvostov <alex@aoi.dyndns.org>

References:
- Re: Google knows everything
  - From: "vdongen" <vdongen@hetisw.nl>

Prev by Date: Re: Google knows everything
Next by Date: Re: Google knows everything
Previous by thread: Re: Google knows everything
Next by thread: Re: Google knows everything
Index(es):
- Date
- Thread