Welcome to WebmasterWorld Guest from 54.196.244.45

Forum Moderators: LifeinAsia & httpwebwitch

Message Too Old, No Replies

SQL injection attack

who's at fault?

     
2:24 pm on Jun 13, 2011 (gmt 0)

Junior Member

5+ Year Member

joined:June 25, 2007
posts:108
votes: 0



My companies consumer site has just been attacked over the weekend, I been in touch with our webdevelopers, who have investigated the sitution. The site is currently unavailable I thought it best to take it down tstright away. However it turn out there is no maintenance contract for the site, which means were not covered in anyway.

who is responsible here, the developers the hosting company are our company?

At the moment the deveoplers want to charge us at 3 days work to fix the error in what is potentially their coding?
2:33 pm on June 13, 2011 (gmt 0)

Moderator from GB 

WebmasterWorld Administrator brotherhood_of_lan is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 30, 2002
posts:4842
votes: 1


I am not a lawyer, etc, I think it really comes down to the wording of your working agreement with your developers.

From the moral standpoint? Successful SQL injections are the fault of the developers. Good code is not vulnerable to web-based SQL injections.
2:44 pm on June 13, 2011 (gmt 0)

Junior Member

5+ Year Member

joined:June 25, 2007
posts:108
votes: 0


From the moral standpoint? Successful SQL injections are the fault of the developers. Good code is not vulnerable to web-based SQL injections.
I tend to agree unfortunately I cannot find any paperwork other than the invoice for the original site build. (this was build in 2008) way before my time here.

Contemplating moving the site & database away from the current developer/host to another developer, although I expect that will cost more then just the fee to fix it?
2:48 pm on June 13, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member wheel is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Feb 11, 2003
posts:5063
votes: 11


although I expect that will cost more then just the fee to fix it?

More than the fee to fix it, plus any potential future vulnerabilities?

I think it's fair enough that they charge you for their time to fix it (though 3 days? That's seems excessive to me). But in 2008, it'd seem that they should've done a check for mysql injections before launching the code. Not doing so seems pretty delinquent to me.

In other words, if you're going to keep them, pay them. But consider moving on (though now may not be the time to move - first thing is get the site back online).
3:05 pm on June 13, 2011 (gmt 0)

Junior Member

5+ Year Member

joined:June 25, 2007
posts:108
votes: 0


Cheers for the replies guys, just emailed the web developers I usually work with will see what they say, but I suspect your right wheel.

Id just like to get the site back up and running.
3:42 pm on June 13, 2011 (gmt 0)

Moderator This Forum from US 

WebmasterWorld Administrator lifeinasia is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Dec 10, 2005
posts:5550
votes: 24


Id just like to get the site back up and running.
If that's the priority, stick with the original coders. They built it, so they should know the code best. Anyone knew is going to have to spend quite a bit of time looking through the code to get a feel for things.

Then again, if it was written 3 years ago, the original coders may need some time to get back up to speed on the project. Also, is it the same company you used before or the exact same people who wrote the code in 2008? If it's just the same company, it may end up being different coders (the old ones may have moved on to another company).

Remember, there are 3 options when coding: price, speed, quality. Consider yourself lucky to be able to get 2 out of 3 at any time.
4:16 pm on June 13, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member g1smd is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:July 3, 2002
posts:18903
votes: 0


No code is ever perfect. Insist the code is thoroughly reviewed and as many issues as possible are fixed. If this is PHP, you'll be needing to make it fully PHP 5 compatible anyway. I'd guess that wouldn't have been done in 2008.
6:07 pm on June 13, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:June 13, 2002
posts:2162
votes: 0


Your company. Software and resources to test these vulnerabilities is freely available - the web if full of attack sinatures to type into forms and urls - you should have tested one of thier sites before using them.

I wouldnt spend too much on fixing it, SQL/XSS attacks evolve quickly & its an indication of potentially more worrying problems. I'd look to a new system/supplier as it will be cheaper in the long run
3:30 pm on June 14, 2011 (gmt 0)

Junior Member

5+ Year Member

joined:June 25, 2007
posts:108
votes: 0


Thanks for all the replies, As a company we would like some assurances from the developers that the issue is resolved and it wonít happen again (I know hackers are determined and with the old adage if they can they will, just look at Sony, epicgames, codemasters recently)

What sort of guarantee should I be looking for? apparently I'm told by my sales director that they will offer a 6 week guarantee for the coding.

Never heard of that before.
9:09 pm on June 16, 2011 (gmt 0)

Moderator from GB 

WebmasterWorld Administrator 5+ Year Member Top Contributors Of The Month

joined:Apr 30, 2008
posts:2507
votes: 140


Code warranty (guarantee) is quite common in software development, although 6 weeks is a quite short period - from my experience 3 months warranty is more common. It basically means that any bug you find in that period will be fixed for free, after that period they can charge you for fixing the bug.

The best way to use this period is to get a good tester to test your site for the fixes they put in and to try to break what they have done. Anything you found within these 6 weeks in the area they were addressing should then be fixed for free.

In fact one should always insist for a clearly defined warranty period if they order software from a third party.
10:06 am on June 17, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:June 13, 2002
posts:2162
votes: 0


I agree, 3 months is quite normal in my experience too. Its normally stated as "bugs found within 3 months will be fixed FoC".

It nearly always gets missed because the client is not ready to start testing properly.
10:16 am on June 17, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:May 8, 2003
posts:1141
votes: 0


In most countries the same legistlation as for product warranties applies in such cases. When there was no warranty agreement in the original contract, usually the standard warranty that is regulated by law kicks in.
1:14 pm on June 17, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member

joined:May 6, 2008
posts:2011
votes: 0


Any developer that doesn't phish for injections is not worth much.

Did they build the databases as well? What privileges were users given?
1:29 pm on June 17, 2011 (gmt 0)

Junior Member

5+ Year Member

joined:June 25, 2007
posts:108
votes: 0


The site was build it 2008, this is something I have inherited, there are 2 backend user login's with roughtly 500 subscribers (tiny amount i know) the popualtion and setup of the sql database would have been handled by the developers.

The one bit of good news is our payment systems is handled by world pay, no finacial info has compromised.

Once the site is back still going to have towrite to all the subscribers asking them to login an change thier details, not looking forward to that.
6:59 pm on June 17, 2011 (gmt 0)

Senior Member

WebmasterWorld Senior Member g1smd is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:July 3, 2002
posts:18903
votes: 0


If this is a UK site, you have a legal obligation to inform the Information Commissioner about the break in and inform all of the customers.
1:13 pm on June 20, 2011 (gmt 0)

Junior Member

5+ Year Member

joined:June 25, 2007
posts:108
votes: 0


I have been drafting up an email this morning. I did not know about the The Information Commissionerís Office though.
1:25 pm on June 22, 2011 (gmt 0)

Junior Member

5+ Year Member

joined:June 25, 2007
posts:108
votes: 0


I have been looking into notfiying the ICO assuming you only hold details for marketing your products your exempt.

This is processing for the purpose of advertising or marketing your business, activity, goods, or services and promoting public relations only in connection with that business or activity, or those goods or services
This exemption only applies to data controllers who are advertising and marketing their own goods and services.
If you obtain personal data from a third party for the purpose of marketing your own goods and services, you will not lose the exemption.



Fixed the site but have since found more issues, it never ends lol