View Single Post
Old August 6th, 2008, 21:21   #17
Administrator Malleus Veto
MadMorbius's Avatar
Join Date: Jan 2002
Location: Mississauga, Ontario
Send a message via ICQ to MadMorbius
Except you're incorrect. Well, partly.

SQL injection doesn't care if the server is linux, windows, etc. It's SQL, and therefore any SQL database is potentially vulnerable.

The Achilles Heel of any web server is the application layer. If the application layer doesn't properly santize and/or validate input, you can potentially read/write to the database with the permissions of the application...or more.

If you can compromise the tables that present site content, you can include a cross-site script call to a foreign web server. That call can be for ,oh, let's call it "ngg.js". You can Google that if you like, but for God's sake don't click on the results.

Ngg.js is JAVA. Java doesn't care what OS you're running, or even what browser you're running. It runs in it's own sandbox and is completley portable.

So the Java WILL execute if you haven't prevented javascript execution with a tool like NoScript under Firefox. The JS can include browser checks, which can be used to control WHAT malware is presented to you. IE, a Macintosh-specific trojan for a Safari browser.

Yes, I know that Safari also runs on Windows, but the point is that this is a targetted, blended threat, so the usual rules about ciruclating viruses that would affect the larger market don't apply...these are professional criminals and they're well aware that many people out there feel safe and secure behind their Mac and Linux systems, and therefore may treat certain things as "safer" where they wouldn't trust them on Internet Explorer.

Say for example, visiting your favourite news site and being presented with a dialogue box asking you to install a Codec that's required to view specific content...we know that people are stupid, and they'll hapilly click on anything if they think they'll be able to watch stupid movies or free porn. So, you're on a site that you trust, and you've watched streaming content there before. It's only logical that you may need to update your codec, isn't it?
Originally Posted by Deaf_shooter View Post
what if it model after his?
MadMorbius is offline   Reply With Quote