LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for June 20, 2013

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Fedora rejects SQLninja

Fedora rejects SQLninja

Posted Nov 10, 2010 17:40 UTC (Wed) by frnknstn (subscriber, #68647)
Parent article: Fedora rejects SQLninja

The text supplied is perfectly reasonable. If a tool's only forseeable purposes are illegal, then discretion is very much a virtue.

However, as reflected in these minutes, that case does not apply to SQLninja. Other uses that are clearly not illegal were discussed, so why are they rejecting this package?

(Log in to post comments)

Fedora rejects SQLninja

Posted Nov 10, 2010 18:00 UTC (Wed) by JoeBuck (subscriber, #2330) [Link]

No matter; those who have a use for it will get it from rpmfusion or some other third-party repository. I'm sure that Red Hat Legal had something to do with this; they may fear legal liability (and perhaps they are being overly cautious).

Fedora rejects SQLninja

Posted Nov 10, 2010 18:29 UTC (Wed) by gus3 (guest, #61103) [Link]

As indicated in the minutes, SQLninja is actively branded on its homepage as "a SQL Server injection *and takeover* tool".

If you need SQLninja to take over a system, odds are approaching 1 that you don't have access rights to it anyway.

Fedora rejects SQLninja

Posted Nov 10, 2010 21:40 UTC (Wed) by ballombe (subscriber, #9523) [Link]

You do not feel tempted to use it on you own servers to check whether they can be subverted?

Fedora rejects SQLninja

Posted Nov 11, 2010 7:40 UTC (Thu) by codefisher (guest, #64993) [Link]

About to download it now for that very purpose, see if I can break into my own server. If it turns out I can, I am going to be changing setting till it will no longer work.

Fedora rejects SQLninja

Posted Nov 11, 2010 9:15 UTC (Thu) by dlang (✭ supporter ✭, #313) [Link]

this is exactly the wrong way to provide security. you are looking to fix the symptom instead of fixing the underlying problem.

once the tool no longer works, you may or may not have actually fixed the real problem, all that you know is that this particular tool no longer works.

if you have a problem with SQL injection, you don't need a 'takeover' tool to show you that, you just need a fuzzing tool and watch your database logs for strange errors.

if you do have a SQL injection vunerability, what you nee dto do is go back and look at your application design and howyou are doing input validation and how you are interacting with the database (sanitization of database query parameters, switching to prepared statements, etc) and fix the problem at a conceptual level, that way you not only defend against this particular tool, you also defend against the entire class of tools that send you bogus input in the hope that it breaks you.

If you have this in place and a fuzzing tool still shows problems, then you have a bug in your input validation code, which means it's time to go back and really review the code, not just twist knobs until you don't see the breakage anymore.

Fedora rejects SQLninja

Posted Nov 11, 2010 16:21 UTC (Thu) by gidoca (subscriber, #62438) [Link]

You are right /if/ you know that you have a SQL injection. However, if you're not sure, you might just introduce one and see if you can break in using sqlninja. After all, being able to get full access to a server by exploiting a SQL injection is pretty serious. If you can, IMHO you better do something about it, even if you don't currently vulnerable to SQL injections. Like, for instance, move away from MS SQL Server (which seems to be the only SQL server sqlninja supports).

Fedora rejects SQLninja

Posted Nov 11, 2010 16:23 UTC (Thu) by gidoca (subscriber, #62438) [Link]

I meant to say: "...even if your software isn't vulnerable to..."

Fedora rejects SQLninja

Posted Nov 12, 2010 19:22 UTC (Fri) by till (subscriber, #50712) [Link]

The takeover tool comes in handy to demonstrate developers how bad SQL injections can be. If they see how easy one can be used to gain full access on a system, they will more likely be more cautious in the future.

Fedora rejects SQLninja

Posted Nov 11, 2010 13:16 UTC (Thu) by Trou.fr (subscriber, #26289) [Link]

Believe it or not, some people out there get their systems audited, and pentesters actually do break into systems legally. Most penetration tools are actually written by people trying to do their job more efficiently.

Fedora rejects SQLninja

Posted Nov 10, 2010 18:31 UTC (Wed) by jspaleta (subscriber, #50639) [Link]

I expect there to be further discussion along these lines. When a tool can be used for both legal and illegal purposes, how do judge whether the technology is too risky to include?

A policy such as this needs to be balanced with some specific tests concerning likely or forseeable use to put some guidance in place for the packaging community and for future Boards members into the very subjective discretionary space this policy carves out.

This would be easier if the Fedora Board were a legally binding court of law in some jurisdiction. If they were the boards resulting policy statement would help clarify risks. But since they aren't this policy has to be viewed in the light of an ongoing risk-management conversation.

-jef

Fedora rejects SQLninja

Posted Nov 11, 2010 9:14 UTC (Thu) by pcampe (guest, #28223) [Link]

>I expect there to be further discussion along these lines. When a tool can
>be used for both legal and illegal purposes, how do judge whether the
>technology is too risky to include?

The point is the definition of "illegal", because circumventing the censorship in Iran or China is illegal, and China is a major country (note that the rule is about "major jurisdictions" and not democracies, quite a big difference in the context).

According to this rule, we could devise a "Fedora China", with tor and many other packages stripped off: which is disgusting, really.

Fedora rejects SQLninja

Posted Nov 11, 2010 13:40 UTC (Thu) by rahulsundaram (subscriber, #21946) [Link]

If you call it Fedora something, you need Fedora Board to approve it which wouldn't happen without strong reasons and sufficient justification.

Fedora rejects SQLninja

Posted Nov 11, 2010 14:07 UTC (Thu) by pcampe (guest, #28223) [Link]

When I fear of a "Fedora China", I fear of something made by the Fedora Board, to comply with some "major jurisdiction".

Fedora rejects SQLninja

Posted Nov 11, 2010 17:43 UTC (Thu) by rahulsundaram (subscriber, #21946) [Link]

It is never "some major jurisdiction". It is clearly defined. Fedora is sponsored by Red Hat and Red Hat is a U.S organization.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds