The answers to your Security Questions are case sensitive and cannot contain special characters like an apostrophe, or the words “insert,” “delete,” “drop,” “update,” “null,” or “select.”
The answers to your Security Questions are case sensitive and cannot contain special characters like an apostrophe, or the words “insert,” “delete,” “drop,” “update,” “null,” or “select.”
good? bad?
Well bad if such attempts to hack the database work...
A little less bad if proper escaping of SQL parameters are actually done on query execution - but in that case, why even advertise such things to customers?
Peter Mescalchin - 14th May 2010 00:58 - #
omg
zomg - 14th May 2010 04:17 - #
Also when selecting your security questions, your first roommate shouldn't be named Robert'); DROP TABLE Customer;--
huxley - 14th May 2010 04:28 - #
Fortunately it looks like they're using it as a primitive spam or hacking filter, not that little Bobby Tables will ruin your finances. (If you're using those words, you're trying to mess with their system.)
Erik Vorhes - 14th May 2010 04:42 - #
Heh, they forgot about "truncate", "grant", "lock", and "rename".
/me makes a note to never use Sacramento CU
I recognise this problem! I'm guessing they have mod_security for Apache installed and badly configured, and this is a workaround until they can get someone in to fix it.
Well, that explains the banned words, anyway. The apostrophe is far more worrying.
Yoz - 14th May 2010 10:03 - #
It might not be mod_security, while their main site runs Apache, the headers for signing up for a bank account report ASP.NET on IIS 6.
Hopefully still just a poorly configured security filter issue as opposed to a serious security chasm ...
huxley - 14th May 2010 16:53 - #
The correct way to handle Bobby Tables: http://bobby-tables.com/
Andy Lester - 14th May 2010 20:38 - #