Echostar T-101

"Ivan" wrote in message
...

"widgitt" wrote in message
...

Interestingly, JVC now make two models (32" and 26") which have
integrated PVR hard drives and almost exactly the same menus and
operating system as the Humax Freeview PVRs



The model number of my Humax TV is LGB-22DZT... I wonder what the 'LG'
bit stands for.. It's difficult to tell who makes what nowadays i.e. on
the rear display area of a JVC flat screen TV I have, the name 'Samsung'
is prominently stamped in a couple of places.

Outlook express tells me there are syntax problems in the configuration and
my post can't be sent, with my message still remaining in the outbox, I
check the thread only to find that not only has it been sent, it has
appeared four times!. They also weren't working for several hours
yesterday, anyone else experiencing similar problems?

"Mike Henry" wrote in message
...
In , "Ivan"
wrote:

Outlook express tells me there are syntax problems in the configuration
and
my post can't be sent, with my message still remaining in the outbox, I
check the thread only to find that not only has it been sent, it has
appeared four times!. They also weren't working for several hours
yesterday, anyone else experiencing similar problems?

Falsely telling the user that a post wasn't sent (when sometimes it
actually was) is a known bug in Outlook express going back many years that
MS just don't care about fixing.


It still doing it despite me completely removing the account and
reinstalling it, I've never experienced any trouble at all until yesterday
here's the message box I receive when I post..

"Windows Mail could not post your message. Subject ' Rogues photos',
Account: 'news.eternal-september.org', Server: 'news.eternal-september.org',
Protocol: NNTP, Server Response: 'DBD::mysql::st execute failed: You have an
error in your SQL syntax; check the manual that corresponds to your MySQL
server version for the right syntax to use near ' AND
`ErrorCode` = 0' at line 1 at /etc/news/filter/filter_nnrpd.pl line 915.',
Port: 119, Secure(SSL): No, Error Number: 0x800CCCA9"..

Any clues please anyone?

On 2009-07-24, Ivan wrote:

"Mike Henry" wrote in message
...
In , "Ivan"
wrote:

Outlook express tells me there are syntax problems in the configuration
and
my post can't be sent, with my message still remaining in the outbox, I
check the thread only to find that not only has it been sent, it has
appeared four times!. They also weren't working for several hours
yesterday, anyone else experiencing similar problems?

Falsely telling the user that a post wasn't sent (when sometimes it
actually was) is a known bug in Outlook express going back many years that
MS just don't care about fixing.


It still doing it despite me completely removing the account and
reinstalling it, I've never experienced any trouble at all until yesterday
here's the message box I receive when I post..

"Windows Mail could not post your message. Subject ' Rogues photos',
Account: 'news.eternal-september.org', Server: 'news.eternal-september.org',
Protocol: NNTP, Server Response: 'DBD::mysql::st execute failed: You have an
error in your SQL syntax; check the manual that corresponds to your MySQL
server version for the right syntax to use near ' AND
`ErrorCode` = 0' at line 1 at /etc/news/filter/filter_nnrpd.pl line 915.',
Port: 119, Secure(SSL): No, Error Number: 0x800CCCA9"..

Any clues please anyone?

You have a single quote ' character in your email address. It is not
outlook that is complaining, but news.eternal-september.org. It is running
a perl script that is accessing a MySQL server and performing an SQL query
involving your email address without escaping special characters (despite
the inbuilt features of the Perl DBD module designed to avoid this very
problem). As a result it chokes and sends Outlook the error message, which
fails to understand it and reports an error. However this is clearly
either happening after the message is posted, or is being ignored by the
server.

If you wish to be able to post through that server right now, I suggest
you remove the quotes from your email address and try again.

However, this means that the news server is almost certainly vulnerable to
an SQL injection attack. So, if you wish to be able to post through that
server in the future, I suggest you email their support somewhat urgently
and inform them that their service is highly insecure, before someone does
something unpleasant to their server (e.g., deleting their database,
stealing the usernames/passwords from their database, or potentially worse).

--
David Taylor

"David Taylor" wrote in message
...
On 2009-07-24, Ivan wrote:


If you wish to be able to post through that server right now, I suggest
you remove the quotes from your email address and try again.

However, this means that the news server is almost certainly vulnerable to
an SQL injection attack. So, if you wish to be able to post through that
server in the future, I suggest you email their support somewhat urgently
and inform them that their service is highly insecure, before someone does
something unpleasant to their server (e.g., deleting their database,
stealing the usernames/passwords from their database, or potentially
worse).



Many thanks, this has happened since 'eternal-september' superseded
'motzarella', they do appear to have a number of support NGs so I will ask
there.
I also have a Virgin/Blueyonder newsreader, the problem with that however is
that they include posters IP address in the properties, which I don't happen
to think is exactly a good idea, is there any good reason 'why' they insist
on doing this, when hardly any other provider does?

Thank you David that did cure the problem and as you suggested I also wrote
to eternal-september support who were very helpful and prompt, below is a
copy of their reply.
|
"David Taylor" wrote in message
...
On 2009-07-24, Ivan wrote:

It still doing it despite me completely removing the account and
reinstalling it, I've never experienced any trouble at all until
yesterday
here's the message box I receive when I post..

"Windows Mail could not post your message. Subject ' Rogues photos',
Account: 'news.eternal-september.org', Server:
'news.eternal-september.org',
Protocol: NNTP, Server Response: 'DBD::mysql::st execute failed: You have
an
error in your SQL syntax; check the manual that corresponds to your MySQL
server version for the right syntax to use near ' AND
`ErrorCode` = 0' at line 1 at /etc/news/filter/filter_nnrpd.pl line
915.',
Port: 119, Secure(SSL): No, Error Number: 0x800CCCA9"..

Any clues please anyone?

You have a single quote ' character in your email address. It is not
outlook that is complaining, but news.eternal-september.org. It is
running
a perl script that is accessing a MySQL server and performing an SQL query
involving your email address without escaping special characters (despite
the inbuilt features of the Perl DBD module designed to avoid this very
problem). As a result it chokes and sends Outlook the error message,
which
fails to understand it and reports an error. However this is clearly
either happening after the message is posted, or is being ignored by the
server.

If you wish to be able to post through that server right now, I suggest
you remove the quotes from your email address and try again.

However, this means that the news server is almost certainly vulnerable to
an SQL injection attack. So, if you wish to be able to post through that
server in the future, I suggest you email their support somewhat urgently
and inform them that their service is highly insecure, before someone does
something unpleasant to their server (e.g., deleting their database,
stealing the usernames/passwords from their database, or potentially
worse).

|
"Ray Banana" wrote in message
...
"Windows Mail could not post your message. Subject ' Rogues photos',
Account: 'news.eternal-september.org', Server:
'news.eternal-september.org',
Protocol: NNTP, Server Response: 'DBD::mysql::st execute failed: You have
an
error in your SQL syntax; check the manual that corresponds to your MySQL
server version for the right syntax to use near ' AND
`ErrorCode` = 0' at line 1 at /etc/news/filter/filter_nnrpd.pl line
915.',
Port: 119, Secure(SSL): No, Error Number: 0x800CCCA9"..

Thanks for the heads-up. Will check what's gone wrong.

"You have a single quote ' character in your email address. It is not
outlook that is complaining, but news.eternal-september.org. It is
running
a perl script that is accessing a MySQL server and performing an SQL
query
involving your email address without escaping special characters (despite
the inbuilt features of the Perl DBD module designed to avoid this very
problem). As a result it chokes and sends Outlook the error message,
which
fails to understand it and reports an error. However this is clearly
either happening after the message is posted, or is being ignored by the
server.
If you wish to be able to post through that server right now, I suggest
you remove the quotes from your email address and try again.

Very concise and thorough error analysis.

However, this means that the news server is almost certainly vulnerable
to
an SQL injection attack. So, if you wish to be able to post through that
server in the future, I suggest you email their support somewhat urgently
and inform them that their service is highly insecure, before someone
does
something unpleasant to their server (e.g., deleting their database,
stealing the usernames/passwords from their database, or potentially
worse)."

But now s/he seems to be overwhelmed by their own competence. The only
thing you can possibly abuse this bug for is to receive syntax errors
from the database, which is bad enough, but there is certainly no way
you could execute any SQL statements on the database other than the ones
that are contained in the Perl filter. Before the script is called, the
From: header is checked for a valid internet mail address by the news
server, the script then parses the header for a valid mail address and
extracts it.
So there is no way to put SQL statements in your From: header
without either the server or the script rejecting your post because of
an invalid syntax in your mail address. Besides, the database user used
by the script only has SELECT, INSERT and UPDATE privileges for some
tables in the database, it can not drop databases or tables or delete
information from the tables.

Usernames/passwords are of course not cotained in the database,
authentication data resides in a separate LDAP server.
The MySQL database is only used for persistent information on the number
of different mail addresses used by each user, the M-IDs of their
articles, in case they want to cancel any of them and the number of
connects per day.

--
Time flies like an arrow, fruit flies like a Banana.
http://www.eternal-september.org

On 2009-07-24, Ivan wrote:



Thank you David that did cure the problem and as you suggested I also wrote
to eternal-september support who were very helpful and prompt, below is a
copy of their reply.
[snip]

They may well be correct. However, SQL injection attacks can and do lead to comprimised machines,
depending on the circumstances.

--
David Taylor

"David Taylor" wrote in message
...
On 2009-07-24, Ivan wrote:



Thank you David that did cure the problem and as you suggested I also
wrote
to eternal-september support who were very helpful and prompt, below is a
copy of their reply.
[snip]

They may well be correct. However, SQL injection attacks can and do lead
to comprimised machines,
depending on the circumstances.


|

AKA Ivan (only the names have been changed, to protect the innocent

Thus spake "Jimmy Dripper"

Thanks Ray for your very prompt response, 'tis all above my head I'm
afraid, that's why I asked on the NG after the problem occurred and
was at least pointed in the right direction with the suggestion to
remove the 'quote thingies' and contact support, I will post your
response and await the answer with interest.

I just deployed a temporary fix for the quote problem ( wrong variable
used in SELECT statement), but will do a complete review of the filter
script, just to be on the save side. A quick check of the logs shows
that you seem to gave been the only one who triggered this bug, but it
started already on July 1, the date of the server transition, so I
have to check out all the scripts from version control system , as the
new servers don't seem have the same software versions as the old
Motzarella servers :-(

--
Time flies like an arrow, fruit flies like a Banana.
http://www.eternal-september.org

David Taylor wrote..


You have a single quote ' character in your email address.

The ' is not handled gracefully on the web in general.

My surname is O'Meara (NB, the e is silent)

I've given up using it as I got fed up being told:
"Your name is invalid" Yeah right!

--
Ken
http://unsteadyken.110mb.com/