Subject: Re: What makes different things lispy or unlispy?
From: rpw3@rpw3.org (Rob Warnock)
Date: Fri, 26 Jun 2009 07:17:14 -0500
Newsgroups: comp.lang.lisp
Message-ID: <aPqdnckRAv7XIdnXnZ2dnUVZ_qGdnZ2d@speakeasy.net>
Nicolas Neuss  <lastname@math.uni-karlsruhe.de> wrote:
+---------------
| rpw3@rpw3.org (Rob Warnock) writes:
| > Ahhh yezzz... And let us never forget Little Bobby Tables:
| >     http://xkcd.com/327/
| >     Exploits of a Mom
| 
| Wonderful!  
| 
| A maybe stupid question: How safe am I against something like this as a
| rather naive administrator of a webserver which uses CLSQL in the
| background?
+---------------

CLSQL isn't a problem per se; the problem is front-end web applications
that don't correctly validate and/or escape their client-supplied inputs.

In the XKCD example, the malicious input was:

    Robert'); DROP TABLE Students; --

so simply SQL-escaping the input correctly would have probably
avoided the problem:

    Robert''); DROP TABLE Students; --

though a more thorough check for questionable characters/sequences
would probably be a good idea.

But to answer your *real* question[1], you're screwed unless you can get
your management to fund real[2] code reviews of all the front-end web
applications that run on your server to make sure that nothing like the
above can sneak onto your server. (Sorry.)

That's one of the problems open-source code has created for us all:
there's *gobs* of free PHP, phpBB, phorm.php (PHPmail), etc., code
available out there for free, and you can't blame your users for trying
to save time by just grabbing huge hunks of it, dropping it on your
server, and whacking it as fast as possible into doing approximately
whatever their boss asked them to do on a ridiculous schedule. The
problem is that so much of the open-source code has these teensy little
security vulnerabilities the bad guys can drive a truck through, and
*you* don't have time to read it all before you allow it on your system!

Think I'm kidding? Why, just this week...

    http://isc.sans.org/diary.html?storyid=6649
    PHPMYADMIN scans
    Published: 2009-06-26,
    Last Updated: 2009-06-26 00:28:03 UTC
    by Mark Hofman (Version: 1) 

    http://isc.sans.org/diary.html?storyid=6634
    Exploit tools are publicly available for phpMyAdmin
    Published: 2009-06-24,
    Last Updated: 2009-06-24 16:42:44 UTC
    by Kyle Haugsness (Version: 1) 

    http://isc.sans.org/diary.html?storyid=6619
    phpMyAdmin Scans
    Published: 2009-06-21,
    Last Updated: 2009-06-23 12:47:11 UTC
    by Scott Fendley (Version: 2) 


-Rob

[1] Which I also face myself as a part-time volunteer sysadmin for a
    non-profit web site with lots of part-time volunteer PHP coders.
    [Problem: I don't know PHP! (*Ouch!*)]

[2] "Real" as in competent programmers in the language(s) in question
    actually reading & understanding other peoples' code, and who
    are rewarded for finding something substantive *wrong* with it.
    [As opposed to the check-off, feel-good shams that "code reviews"
    so often are these days.]

-----
Rob Warnock			<rpw3@rpw3.org>
627 26th Avenue			<URL:http://rpw3.org/>
San Mateo, CA 94403		(650)572-2607