|
|
Eternal September having troubles?
"Ivan" wrote in message ... "widgitt" wrote in message ... Interestingly, JVC now make two models (32" and 26") which have integrated PVR hard drives and almost exactly the same menus and operating system as the Humax Freeview PVRs The model number of my Humax TV is LGB-22DZT... I wonder what the 'LG' bit stands for.. It's difficult to tell who makes what nowadays i.e. on the rear display area of a JVC flat screen TV I have, the name 'Samsung' is prominently stamped in a couple of places. Outlook express tells me there are syntax problems in the configuration and my post can't be sent, with my message still remaining in the outbox, I check the thread only to find that not only has it been sent, it has appeared four times!. They also weren't working for several hours yesterday, anyone else experiencing similar problems? |
Eternal September having troubles?
"Mike Henry" wrote in message ... In , "Ivan" wrote: Outlook express tells me there are syntax problems in the configuration and my post can't be sent, with my message still remaining in the outbox, I check the thread only to find that not only has it been sent, it has appeared four times!. They also weren't working for several hours yesterday, anyone else experiencing similar problems? Falsely telling the user that a post wasn't sent (when sometimes it actually was) is a known bug in Outlook express going back many years that MS just don't care about fixing. It still doing it despite me completely removing the account and reinstalling it, I've never experienced any trouble at all until yesterday here's the message box I receive when I post.. "Windows Mail could not post your message. Subject ' Rogues photos', Account: 'news.eternal-september.org', Server: 'news.eternal-september.org', Protocol: NNTP, Server Response: 'DBD::mysql::st execute failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' AND `ErrorCode` = 0' at line 1 at /etc/news/filter/filter_nnrpd.pl line 915.', Port: 119, Secure(SSL): No, Error Number: 0x800CCCA9".. Any clues please anyone? |
Eternal September having troubles?
On 2009-07-24, Ivan wrote:
"Mike Henry" wrote in message ... In , "Ivan" wrote: Outlook express tells me there are syntax problems in the configuration and my post can't be sent, with my message still remaining in the outbox, I check the thread only to find that not only has it been sent, it has appeared four times!. They also weren't working for several hours yesterday, anyone else experiencing similar problems? Falsely telling the user that a post wasn't sent (when sometimes it actually was) is a known bug in Outlook express going back many years that MS just don't care about fixing. It still doing it despite me completely removing the account and reinstalling it, I've never experienced any trouble at all until yesterday here's the message box I receive when I post.. "Windows Mail could not post your message. Subject ' Rogues photos', Account: 'news.eternal-september.org', Server: 'news.eternal-september.org', Protocol: NNTP, Server Response: 'DBD::mysql::st execute failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' AND `ErrorCode` = 0' at line 1 at /etc/news/filter/filter_nnrpd.pl line 915.', Port: 119, Secure(SSL): No, Error Number: 0x800CCCA9".. Any clues please anyone? You have a single quote ' character in your email address. It is not outlook that is complaining, but news.eternal-september.org. It is running a perl script that is accessing a MySQL server and performing an SQL query involving your email address without escaping special characters (despite the inbuilt features of the Perl DBD module designed to avoid this very problem). As a result it chokes and sends Outlook the error message, which fails to understand it and reports an error. However this is clearly either happening after the message is posted, or is being ignored by the server. If you wish to be able to post through that server right now, I suggest you remove the quotes from your email address and try again. However, this means that the news server is almost certainly vulnerable to an SQL injection attack. So, if you wish to be able to post through that server in the future, I suggest you email their support somewhat urgently and inform them that their service is highly insecure, before someone does something unpleasant to their server (e.g., deleting their database, stealing the usernames/passwords from their database, or potentially worse). -- David Taylor |
Eternal September having troubles?
"David Taylor" wrote in message ... On 2009-07-24, Ivan wrote: If you wish to be able to post through that server right now, I suggest you remove the quotes from your email address and try again. However, this means that the news server is almost certainly vulnerable to an SQL injection attack. So, if you wish to be able to post through that server in the future, I suggest you email their support somewhat urgently and inform them that their service is highly insecure, before someone does something unpleasant to their server (e.g., deleting their database, stealing the usernames/passwords from their database, or potentially worse). Many thanks, this has happened since 'eternal-september' superseded 'motzarella', they do appear to have a number of support NGs so I will ask there. I also have a Virgin/Blueyonder newsreader, the problem with that however is that they include posters IP address in the properties, which I don't happen to think is exactly a good idea, is there any good reason 'why' they insist on doing this, when hardly any other provider does? |
Eternal September having troubles?
Thank you David that did cure the problem and as you suggested I also wrote to eternal-september support who were very helpful and prompt, below is a copy of their reply. | "David Taylor" wrote in message ... On 2009-07-24, Ivan wrote: It still doing it despite me completely removing the account and reinstalling it, I've never experienced any trouble at all until yesterday here's the message box I receive when I post.. "Windows Mail could not post your message. Subject ' Rogues photos', Account: 'news.eternal-september.org', Server: 'news.eternal-september.org', Protocol: NNTP, Server Response: 'DBD::mysql::st execute failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' AND `ErrorCode` = 0' at line 1 at /etc/news/filter/filter_nnrpd.pl line 915.', Port: 119, Secure(SSL): No, Error Number: 0x800CCCA9".. Any clues please anyone? You have a single quote ' character in your email address. It is not outlook that is complaining, but news.eternal-september.org. It is running a perl script that is accessing a MySQL server and performing an SQL query involving your email address without escaping special characters (despite the inbuilt features of the Perl DBD module designed to avoid this very problem). As a result it chokes and sends Outlook the error message, which fails to understand it and reports an error. However this is clearly either happening after the message is posted, or is being ignored by the server. If you wish to be able to post through that server right now, I suggest you remove the quotes from your email address and try again. However, this means that the news server is almost certainly vulnerable to an SQL injection attack. So, if you wish to be able to post through that server in the future, I suggest you email their support somewhat urgently and inform them that their service is highly insecure, before someone does something unpleasant to their server (e.g., deleting their database, stealing the usernames/passwords from their database, or potentially worse). | "Ray Banana" wrote in message ... "Windows Mail could not post your message. Subject ' Rogues photos', Account: 'news.eternal-september.org', Server: 'news.eternal-september.org', Protocol: NNTP, Server Response: 'DBD::mysql::st execute failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ' AND `ErrorCode` = 0' at line 1 at /etc/news/filter/filter_nnrpd.pl line 915.', Port: 119, Secure(SSL): No, Error Number: 0x800CCCA9".. Thanks for the heads-up. Will check what's gone wrong. "You have a single quote ' character in your email address. It is not outlook that is complaining, but news.eternal-september.org. It is running a perl script that is accessing a MySQL server and performing an SQL query involving your email address without escaping special characters (despite the inbuilt features of the Perl DBD module designed to avoid this very problem). As a result it chokes and sends Outlook the error message, which fails to understand it and reports an error. However this is clearly either happening after the message is posted, or is being ignored by the server. If you wish to be able to post through that server right now, I suggest you remove the quotes from your email address and try again. Very concise and thorough error analysis. However, this means that the news server is almost certainly vulnerable to an SQL injection attack. So, if you wish to be able to post through that server in the future, I suggest you email their support somewhat urgently and inform them that their service is highly insecure, before someone does something unpleasant to their server (e.g., deleting their database, stealing the usernames/passwords from their database, or potentially worse)." But now s/he seems to be overwhelmed by their own competence. The only thing you can possibly abuse this bug for is to receive syntax errors from the database, which is bad enough, but there is certainly no way you could execute any SQL statements on the database other than the ones that are contained in the Perl filter. Before the script is called, the From: header is checked for a valid internet mail address by the news server, the script then parses the header for a valid mail address and extracts it. So there is no way to put SQL statements in your From: header without either the server or the script rejecting your post because of an invalid syntax in your mail address. Besides, the database user used by the script only has SELECT, INSERT and UPDATE privileges for some tables in the database, it can not drop databases or tables or delete information from the tables. Usernames/passwords are of course not cotained in the database, authentication data resides in a separate LDAP server. The MySQL database is only used for persistent information on the number of different mail addresses used by each user, the M-IDs of their articles, in case they want to cancel any of them and the number of connects per day. -- Time flies like an arrow, fruit flies like a Banana. http://www.eternal-september.org |
Eternal September having troubles?
On 2009-07-24, Ivan wrote:
Thank you David that did cure the problem and as you suggested I also wrote to eternal-september support who were very helpful and prompt, below is a copy of their reply. [snip] They may well be correct. However, SQL injection attacks can and do lead to comprimised machines, depending on the circumstances. -- David Taylor |
Eternal September having troubles?
"David Taylor" wrote in message ... On 2009-07-24, Ivan wrote: Thank you David that did cure the problem and as you suggested I also wrote to eternal-september support who were very helpful and prompt, below is a copy of their reply. [snip] They may well be correct. However, SQL injection attacks can and do lead to comprimised machines, depending on the circumstances. | AKA Ivan (only the names have been changed, to protect the innocent:) Thus spake "Jimmy Dripper" Thanks Ray for your very prompt response, 'tis all above my head I'm afraid, that's why I asked on the NG after the problem occurred and was at least pointed in the right direction with the suggestion to remove the 'quote thingies' and contact support, I will post your response and await the answer with interest. I just deployed a temporary fix for the quote problem ( wrong variable used in SELECT statement), but will do a complete review of the filter script, just to be on the save side. A quick check of the logs shows that you seem to gave been the only one who triggered this bug, but it started already on July 1, the date of the server transition, so I have to check out all the scripts from version control system , as the new servers don't seem have the same software versions as the old Motzarella servers :-( -- Time flies like an arrow, fruit flies like a Banana. http://www.eternal-september.org |
Eternal September having troubles?
David Taylor wrote..
You have a single quote ' character in your email address. The ' is not handled gracefully on the web in general. My surname is O'Meara (NB, the e is silent) I've given up using it as I got fed up being told: "Your name is invalid" Yeah right! -- Ken http://unsteadyken.110mb.com/ |
| All times are GMT +1. The time now is 08:07 PM. |
Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.
HomeCinemaBanter.com