Cannot login after applying filter?

Jun 25, 2008 at 1:50 PM
Rodney,

I would like to start by thanking you for your hard work putting this filter together, and I have to say that this has been of great use to me and my company. We offer hosting services, and our heads have been spinning with the latest SQL injection, and about all we can offer our customers as a solution is telling them to have their Developers fix their code.

We ran across your filter about 2 weeks ago, and we have been tracking your threads, checking responses, beta testing the filter internally, etc. I finally started pushing this out to a few of our production customers that were being injected so fast they didn't have room to even breathe, much less correct any code, in between attacks.

So far so good, we haven't had a single SQL Injection since we set this up, but one of the websites we are using this on is not able to login. We have created a test account, and I can post or e-mail you the login info if you can possibly look at it for us. The page uses classic ASP, and when we try to login the page just refreshes, obviously sanitizing the data that should be allowed to pass through the back end.

Yesterday we ran some tests, and disabled the filter, sure enough logins were working seamlessly when disabled (although in the 10 seconds it was off the DB was SQL Injected, so we quickly had to restore from backup, and until the Developers can finish securing their code we have no other option but to leave your filter running).

Is this something that you could possibly look into for us?

Thanks a million, even if you can't help with this situation your filter has been invaluable to us and I want you to know we absolutely appreciate your time and efforts!

KR
Coordinator
Jun 26, 2008 at 10:04 PM

Hi Keith,

 

I am afraid you have to customize your login page. You can send me privately the code and though I cannot guarantee, I will try to help with it.

Coordinator
Jul 5, 2008 at 6:21 AM
Edited Jul 5, 2008 at 6:25 AM

Hi Keith,

 

Thanks for sending your code. You are emulating soap calls in classic ASP. I am taking it into consideration for the next version. As soon as I have a working set to include your exception I will post it here.

Thanks,

Rodney

 

 


rviana wrote:

Hi Keith,

 

I am afraid you have to customize your login page. You can send me privately the code and though I cannot guarantee, I will try to help with it.




Jul 8, 2008 at 5:57 PM
Rodney,

Thanks a ton for your time and feedback, I look forward to the latest version.

Sincerely,
KR
Jul 9, 2008 at 2:55 PM
Rodney,

I am going to take down the code example that is at http://www.thenetworksource.com just an FYI, let me know if you need a copy of this or anything setup to test the code (such as access to the site, snippets of code, etc.). I have informed our customer that you were going to try to incorporate a fix into your next release, and they asked me to give you their thanks as well for your time reviewing the custom code/application, but also just for the SQL Injection filter itself. It really has been a great tool for our customers that just need a little breathing room while their Developers address security issues in their code.

Thanks,
KR