Welcome to WebmasterWorld Guest from 107.20.20.39

Forum Moderators: LifeinAsia & httpwebwitch

Message Too Old, No Replies

SQL injection attack

who's at fault?

   
2:24 pm on Jun 13, 2011 (gmt 0)

5+ Year Member




My companies consumer site has just been attacked over the weekend, I been in touch with our webdevelopers, who have investigated the sitution. The site is currently unavailable I thought it best to take it down tstright away. However it turn out there is no maintenance contract for the site, which means were not covered in anyway.

who is responsible here, the developers the hosting company are our company?

At the moment the deveoplers want to charge us at 3 days work to fix the error in what is potentially their coding?
2:33 pm on Jun 13, 2011 (gmt 0)

WebmasterWorld Administrator brotherhood_of_lan is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



I am not a lawyer, etc, I think it really comes down to the wording of your working agreement with your developers.

From the moral standpoint? Successful SQL injections are the fault of the developers. Good code is not vulnerable to web-based SQL injections.
2:44 pm on Jun 13, 2011 (gmt 0)

5+ Year Member



From the moral standpoint? Successful SQL injections are the fault of the developers. Good code is not vulnerable to web-based SQL injections.
I tend to agree unfortunately I cannot find any paperwork other than the invoice for the original site build. (this was build in 2008) way before my time here.

Contemplating moving the site & database away from the current developer/host to another developer, although I expect that will cost more then just the fee to fix it?
2:48 pm on Jun 13, 2011 (gmt 0)

WebmasterWorld Senior Member wheel is a WebmasterWorld Top Contributor of All Time 10+ Year Member



although I expect that will cost more then just the fee to fix it?

More than the fee to fix it, plus any potential future vulnerabilities?

I think it's fair enough that they charge you for their time to fix it (though 3 days? That's seems excessive to me). But in 2008, it'd seem that they should've done a check for mysql injections before launching the code. Not doing so seems pretty delinquent to me.

In other words, if you're going to keep them, pay them. But consider moving on (though now may not be the time to move - first thing is get the site back online).
3:05 pm on Jun 13, 2011 (gmt 0)

5+ Year Member



Cheers for the replies guys, just emailed the web developers I usually work with will see what they say, but I suspect your right wheel.

Id just like to get the site back up and running.
3:42 pm on Jun 13, 2011 (gmt 0)

WebmasterWorld Administrator lifeinasia is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month



Id just like to get the site back up and running.
If that's the priority, stick with the original coders. They built it, so they should know the code best. Anyone knew is going to have to spend quite a bit of time looking through the code to get a feel for things.

Then again, if it was written 3 years ago, the original coders may need some time to get back up to speed on the project. Also, is it the same company you used before or the exact same people who wrote the code in 2008? If it's just the same company, it may end up being different coders (the old ones may have moved on to another company).

Remember, there are 3 options when coding: price, speed, quality. Consider yourself lucky to be able to get 2 out of 3 at any time.
4:16 pm on Jun 13, 2011 (gmt 0)

WebmasterWorld Senior Member g1smd is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



No code is ever perfect. Insist the code is thoroughly reviewed and as many issues as possible are fixed. If this is PHP, you'll be needing to make it fully PHP 5 compatible anyway. I'd guess that wouldn't have been done in 2008.
6:07 pm on Jun 13, 2011 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Your company. Software and resources to test these vulnerabilities is freely available - the web if full of attack sinatures to type into forms and urls - you should have tested one of thier sites before using them.

I wouldnt spend too much on fixing it, SQL/XSS attacks evolve quickly & its an indication of potentially more worrying problems. I'd look to a new system/supplier as it will be cheaper in the long run
3:30 pm on Jun 14, 2011 (gmt 0)

5+ Year Member



Thanks for all the replies, As a company we would like some assurances from the developers that the issue is resolved and it wonít happen again (I know hackers are determined and with the old adage if they can they will, just look at Sony, epicgames, codemasters recently)

What sort of guarantee should I be looking for? apparently I'm told by my sales director that they will offer a 6 week guarantee for the coding.

Never heard of that before.
9:09 pm on Jun 16, 2011 (gmt 0)

WebmasterWorld Administrator 5+ Year Member Top Contributors Of The Month



Code warranty (guarantee) is quite common in software development, although 6 weeks is a quite short period - from my experience 3 months warranty is more common. It basically means that any bug you find in that period will be fixed for free, after that period they can charge you for fixing the bug.

The best way to use this period is to get a good tester to test your site for the fixes they put in and to try to break what they have done. Anything you found within these 6 weeks in the area they were addressing should then be fixed for free.

In fact one should always insist for a clearly defined warranty period if they order software from a third party.
10:06 am on Jun 17, 2011 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



I agree, 3 months is quite normal in my experience too. Its normally stated as "bugs found within 3 months will be fixed FoC".

It nearly always gets missed because the client is not ready to start testing properly.
10:16 am on Jun 17, 2011 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



In most countries the same legistlation as for product warranties applies in such cases. When there was no warranty agreement in the original contract, usually the standard warranty that is regulated by law kicks in.
1:14 pm on Jun 17, 2011 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



Any developer that doesn't phish for injections is not worth much.

Did they build the databases as well? What privileges were users given?
1:29 pm on Jun 17, 2011 (gmt 0)

5+ Year Member



The site was build it 2008, this is something I have inherited, there are 2 backend user login's with roughtly 500 subscribers (tiny amount i know) the popualtion and setup of the sql database would have been handled by the developers.

The one bit of good news is our payment systems is handled by world pay, no finacial info has compromised.

Once the site is back still going to have towrite to all the subscribers asking them to login an change thier details, not looking forward to that.
6:59 pm on Jun 17, 2011 (gmt 0)

WebmasterWorld Senior Member g1smd is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



If this is a UK site, you have a legal obligation to inform the Information Commissioner about the break in and inform all of the customers.
1:13 pm on Jun 20, 2011 (gmt 0)

5+ Year Member



I have been drafting up an email this morning. I did not know about the The Information Commissionerís Office though.
1:25 pm on Jun 22, 2011 (gmt 0)

5+ Year Member



I have been looking into notfiying the ICO assuming you only hold details for marketing your products your exempt.

This is processing for the purpose of advertising or marketing your business, activity, goods, or services and promoting public relations only in connection with that business or activity, or those goods or services
This exemption only applies to data controllers who are advertising and marketing their own goods and services.
If you obtain personal data from a third party for the purpose of marketing your own goods and services, you will not lose the exemption.



Fixed the site but have since found more issues, it never ends lol
 

Featured Threads

Hot Threads This Week

Hot Threads This Month