Using offshore certified Microsoft partners? Beware of security holes

Microsoft Subnet was last week contacted by a reader from Croatia who was shocked to discover a gaping security hole in a product being sold worldwide by one of the country's premier Microsoft partners. The reader, Dalibor Vlaho, is a developer living and working in Croatia, who enjoys the occasional hack just to take a peek at how others approach various programming tasks. Croatia has a growing reputation as a hot spot for hiring U.S. offshore developers or bargain priced software-as-a-service.

One day, he was looking around at a Content Management System system from a large, Croatian Microsoft Certified Partner who offers its CMS app online via a Web portal written in PHP and running on MYSQL, says Vlaho. (We're not naming the company because Microsoft Subnet was not able to contact it and give the company a chance to comment. However, if you are contemplating hiring an offshore company in Croatia for CMS hosting, drop us an e-mail and we'll hook you up with more info.)

Vlaho wanted to see if the CMS was vulnerable to SQL injections. It was. Within five minutes of playing with the login, Vlaho was able to access the Administration Panel and at that point, this custom application served up to him the entire database -- he had access to all the content used by the 50 or so customers, he says.

Even more curious, the offshore company was using the same server for its own CMS and more. So the company's own data was vulnerable even as it left itself open to bigger attacks beyond the database itself, Vlaho said.

"I can't understand how developers who work in such a big company like [name removed] can write such a BAD CODE!" says Vlaho. "A Login like: admin'/* will do the job in the login part of the [name of product removed] script. A couple lines of a code would solve the problem but in this script they don't even know the problem exists."

The moral of the story is common sense but worth repeating: the Microsoft Certified Partner designation (perhaps particularly when applied to an offshore company) isn't protection enough against bad, vulnerable code. Truth is such code is everywhere. The SQL injection vulnerably still remains ridiculously common despite the massive publicity on what it is and how to avoid it.

Visit the Microsoft Subnet web site for more news, blogs, podcasts. Subscribe to all Microsoft Subnet bloggers. Sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert.)

Only you can prevent SQL injection attacks, Microsoft Security saysMicrosoft's anti-trust issues continue with DOJ, EUMicrosoft OpsMgr R2 release candidate available today, will ship end of JuneMicrosoft Vine, Web Sandbox and other nifty beta appsWindows 7 arrives this week, supports "virtual" XP12 killer freebie SharePoint add-onsCloud computing is cheaper, greener but not yet enterprise ready

.Net Services: Microsoft's key to cloud security and Java interoperability

Follow Microsoft Subnet on Twitter
Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2009 IDG Communications, Inc.