Site Information
About Us
- RonPaulForums.com is an independent grassroots outfit not officially connected to Ron Paul but dedicated to his mission. For more information see our Mission Statement.
And for the record, the text following the donor's name was time= which is part of the text file's layout.
The donation feed looks something like this:
count=166691&sum=15814216.0400&donors=Joe|Blow|Cit y|State&time=1197869200
Maybe the donor had an & in their name which should have been encoded. I won't worry about it unless the campaign tells us to worry.
Your logic is flawed. If someone wanted to do an attack like this, they would have to leave a lot of doubt, otherwise there would be no debate, we would know that an attack had occurred.
It think we have to find out if somebody saw the surge and pulled the plug using the massive activity as a smokescreen. It seems odd the way donations froze and jumped around.
"This world in arms is not spending money alone. It is spending the sweat of its laborers, the genius of its scientists, the hopes of its children." -Dwight D. Eisenhower, April 16, 1953
the db probably exports an xml file to the widget using some sort of web service. garaunteed there is a layer between the db and the widget. the widget probably never even gets close to the db.
but could someone capture all the names?
0 years programmer here.
Ya'll are impressive with this discussion.
Thank you (13 year programmer myself). People here seem to think a lot of goofy things about how secure their data is because the "professionals" are on the job. The real professionals know that screw ups are very common, especially when under constant, absurd deadlines to get things done. I'm not saying that anything happened here, but you're being naive if you thing there's nothing to worry about.
What does flash have to do with it? The characters were put into the database that way on the donor page. It was copied to the flash object after the fake hack donation was accepted. Its only incidentally that it was copied to the front page, because whoever did it was a bit of an idiot and didn't mark the "don't show my name on front page". We only hope it didn't work.
I think it just jumped AGAIN. This time forward by... ALOT.
Now reading $18,080,000.
could these just be CC traders again?
Agreed. I've seen some stuff happen because people just assumed that since it was a reliable application, there were no problems. Saw a case of SQL injection in a minor intranet product that allowed someone to login as a superuser. Thank goodness it was behind the firewall and only available to company people. It was fixed rather quickly though once found.
Want to help Dr. Paul's campaign? Canvass! Learn how at http://www.ronpaulreveres.com/
Want to coordinate your canvassing? Become a Precinct Leader! http://voters.ronpaul2008.com/grassroots/
Rough Draft: Final Notice of Fiscal Burden
http://www.ronpaulforums.com/showthread.php?t=92802
JPEG Graphic of Final Notice of Fiscal Burden http://www.ronpaulforums.com/showthread.php?t=96659
I wonder what the gambling sites, who must hate things like this, are going to do. It seems pretty obvious we went well over 6 million, but I wonder if there will be a payout delay.
it's back up to 18 million.
maybe we really did make it before 11:59PM, and the servers just locked up?
You people are really making me feel great. Thanks for making me worry about getting robbed now.
I don't know crap about this stuff but if it showed up on the widget thing I would think if it was someone hacking something they must have done a sloppy job for it to show up on that where you could see it.....
I GOT MY BUSINESS MANAGEMENT SCIENCE DEGREE IN MY HANDS AND RAN!!!!!!! THEY'RE NEVER GETTING IT BACK!!!!!!!!!
"It is dissent from government policies that defines the true patriot and champion of liberty."
- Ron Paul
Why would the app even allow any other characters other than letters? I mean some basic input verification code would take care of that.
The widget utilizes the following delimeters:
&^|
Maybe they don't strip all these as they should? None of these characters are evil, they are only potential problems because the programmers chose to use them as decimeters for the fund-raising widget, and even then it's only a cosmetic problem. Yes it's possible something malicious happened, but it's also very possible it was a cosmetic quirk.
Well, if you had just maxxed out your credit card you wouldn't have to worry about this
Assumptions made in programming can lead to disasterous results. "Gee, this is a basic item, I'm sure someone already coded for it"Why would the app even allow any other characters other than letters? I mean some basic input verification code would take care of that.
Want to help Dr. Paul's campaign? Canvass! Learn how at http://www.ronpaulreveres.com/
Want to coordinate your canvassing? Become a Precinct Leader! http://voters.ronpaul2008.com/grassroots/
Rough Draft: Final Notice of Fiscal Burden
http://www.ronpaulforums.com/showthread.php?t=92802
JPEG Graphic of Final Notice of Fiscal Burden http://www.ronpaulforums.com/showthread.php?t=96659
here's my final answer. the widget was actin crazy. now ronpaulgraphs is showing some 0's. I think the web service crashed, started reporting reverted numbers, then came back on line when it redid some math.
That doesn't look like SQL injection. It looks like it's probably Shockwave Flash ACtionscript. Thats probably what the widget displays when the site is down. It looks more like what a pointer would be in Flash. I don't actually know anything about Flash programming, but this is a PRETTY GOOD GUESS.
Last edited by legion; 12-16-2007 at 11:58 PM.
Don't see anything there that actually looks like a sql-injection attack. If this was somebody attempting a hack, it doesn't look like they had any idea how to go about it.
Also, on most systems there's a pretty easy defense against such an attack - just use real parameters instead of constructing a dynamic sql string. This is web security 101. Do it this way, and whatever string gets passed in gets saved to the database, period.
Lots of programmers fail to do this, but I kinda suspect we've got better people than that involved here.
Time constraints... and accidental oversight. They are the killers in the programming world. The major thing is that major mistakes are rarely publicized, because of how bad they would impact the business and the customer's impression on how secure their transactions are. The speed at which changes have been made to the servers, the site, widgets, etc... all lead to potential holes that hackers love to try and find.
Been programming since 1972..... started with Navy mainframes and worked up from there.
I was worried from the start, there would be a 'Denial of Service' attack and people wouldn't be able to donate.
There are ways to keep bots from crashing servers that way but does anybody know if the RonPaul2008.com sight has protection from this kind of attack?
Last edited by Dr.3D; 12-17-2007 at 12:04 AM.
Numbers did move back in one glimpse just below 18 range, I'm pretty sure I saw that.
And by the way, it was clearly a feed format or widget parsing problem (maybe some character like '&' in the name etc). Nothing to worry about
Connect With Us