Comments on: BanLink Security Broken – Shocking SQL Reveals All!!!

By: jj

jj — Thu, 28 Jan 2010 17:24:37 +0000

*** Anyone that has been around the world of web programming long enough to be respectable in the business knows you have to use stored procedures to isolate the database. Better yet use a middle tier and the middle tier uses stored procedure calls further isolating the db. ***

Ugh, no actually you most certainly don’t. And I’ve been doing web apps since 1995. No reason to do that whatsoever. Just properly escape user-entered text.

By: deadlycodec

deadlycodec — Sat, 16 Jan 2010 12:07:45 +0000

@All Seeing Eye

Guess you should read this:
“Another solution commonly proposed for dealing with SQL injection attacks is to use stored procedures. Although stored procedures prevent some types of SQL injection attacks, they fail to protect against many others. For example, the following PL/SQL procedure is vulnerable to the same SQL injection attack shown in the first example.

procedure get_item (
itm_cv IN OUT ItmCurTyp,
usr in varchar2,
itm in varchar2)
is
open itm_cv for ‘ SELECT * FROM items WHERE ‘ ||
‘owner = ”’|| usr ||
‘ AND itemname = ”’ || itm || ””;
end get_item;

Stored procedures typically help prevent SQL injection attacks by limiting the types of statements that can be passed to their parameters. However, there are many ways around the limitations and many interesting statements that can still be passed to stored procedures. Again, stored procedures can prevent some exploits, but they will not make your application secure against SQL injection attacks. ”

-Quoted from OWASP @ http://www.owasp.org/index.php/SQL_Injection

By: deadlycodec

deadlycodec — Sat, 16 Jan 2010 11:53:20 +0000

“After the initial amusement wore off, I asked the source – who refers to himself as “a man with a lion face” – how simple URLs could reveal so much information. He replied, “poor coding, seems like. they don’t even take the quotes out of input or escape them. basically, you can inject your own queries into the database calls and have it return whatever data you want. a more malicious person might use it to get passwords, emails, or IPs of banlink administrators”.”

Just wanted to point out that it’s a common myth that all you have to do to mitigate SQL injection attacks is filter out single quotes, or escape them. Coldfusion 8 automatically escapes single quotes and I could still perform SQL injection by using the CHAR() function. There are other ways to get passed weak filtering that relies only on removing single quotes too. And SQL injection vulnerabilities are still among the most common – and devastating – on the web. They’re going to be even more common with the advent of PHP 6, since programmers will now have to sanitize input on their own. No more magic quotes xD

By: Varspet Taka

Varspet Taka — Mon, 11 Jan 2010 07:23:24 +0000

By: Isabel Wulluf

Isabel Wulluf — Sat, 24 Oct 2009 02:10:10 +0000

I was put on banlinks and not notified. I TP’d to a sandbox and was sent home. I IM’d the Sandbox’s owner who gave me access. Havne’t been able to view why I was banned. That is wrong in my book.

By: Up4 Dawes

Up4 Dawes — Mon, 05 Oct 2009 04:41:04 +0000

Well it’s been almost 2 yesrs for me since I was banned from NCI beach, which was managed or owned by Carl Metropolitan well I was banned for using a swear word as I was defending a newbie by a attack from one of that places
inner circle of kiss asses so I was banned by Mr. Metropolitan as of last week he is not associated with NCI anymore and told me he can’t help me..and I still banned from certain sims that used SLBanlink how id this if their servers are down?? SLBanlink appears to have met it’s long overdue fate…so why dosn’t Linden free all us political prisoners? and break the trusts manually themselves?

By: Alyx Stoklitsky

Alyx Stoklitsky — Tue, 29 Sep 2009 03:58:54 +0000

“To protect privacy, you may only view records for your own avatar”

To protect privacy my ass. This feature of banlink was added in to stop griefing groups sharing their banlink records to prove to eachother how many landowners they’d pissed off before the lindens caught them. It’s not to protect privacy atall – it’s to try and deprive griefers of using banlink as a scoreboard.

By: Bell Clanger

Bell Clanger — Tue, 29 Sep 2009 00:47:22 +0000

Well, looks like http://slbanlink.com/ is down, which is unfortunate, but the BanLink boxes are still sending avatars home despite this. If they have taken their site down for maintenance, shouldn't they also deactivate the banning system? As it is now, one has no appeals process - hardly democratic.

By: Sinden Lucks

Sinden Lucks — Sun, 27 Sep 2009 17:22:53 +0000

This is why I have little to do with SL anymore. I’ve said it for years, there are far too many children in SL. Either that, or SL harbors the most seriously mentally retarded people I’ve ever witnessed. Just read the posts in this thread. And I have news for you, either Linden continues to love to play games, or they are seriously hacked as well. My guess is both.

By: FWord Utorid

FWord Utorid — Sat, 26 Sep 2009 00:18:55 +0000

When I first got into SL, I didn’t have a lot of L$. So I wound up buying a small parcel of land. Well, apparently small parcels of land run afoul of some group of virtual treehuggers called ‘The Arbor Group’. I was insulted by someone called Nobody Fugazi, who claimed I was an ad farmer, when really I just wanted a little spot to call home. So, in response, I put up a sign that said, plainly, “I think Nobody Fugazi is dumb.”. Later on, in numerous locations, I began to get repeated messages that something was attempting to ‘teleport me home’. It didn’t function properly, but I got the message. This particular virtual tree hugger likes to use their system and their land to terrorize anyone who disagrees with them. I think these little systems are fantastic for proving who among us has a power trip. IRC operators or moderators that work to try to censor what people say really just wind up with egg on their face later. I still think Nobody Fugazi is dumb.