evals@scalable-networks.com:
Dear Scalable Networks,
I recently signed up for a 30 day evaluation of QualNet. When I log in I get a welcome message that states the following:
"Thank you for evaluating QualNet. Your 30-day Evaluation License File has been generated and posted to your download page."
However, when I go to the download page and click the link to the license file (http://www.scalable-networks.com/distributions/download/license/evals/qualnet-4.5.1-eval-2009.07.03.lic) I am immediately redirected to the sitemap (http://www.scalable-networks.com/sitemap.php). Since I am on Linux/Firefox and was having other issues with your site (such as broken CSS suckerfish dropdown menus), I decided to try logging in on a Windows PC.
This attempt was even more broken/disturbing, [since] as soon as I logged in I received a non-html page that stated:
INSERT INTO ErrorLog (UID, address, SID, error, login, password) VALUES ('', '#.#.#.#', 'nodnhkck0rlkh0qc2442skijh5', 'Password is not correct', 'my@email.com', 'MyPassword'')
Subsequent attempts to log in on the Windows machine do not even take me to the login page, they simply show this SQL query. I initial[ly] thought my password was correct, however if you look closely there is an extra single quote at the end of it, which I must have hit while submitting the form with the enter key. I had to clear my cookies in order to be able to log in correctly. Unfortunately the license file link was still broken (as were the dropdown menus).
In summary:
1. Your CSS suckerfish dropdown menus have extra pixels [between] them and the popup which causes them to break in Linux and Windows Firefox.
2. You are likely not sanitizing your user input before inserting it in to your SQL database, which is a huge security hole.
3. You are storing your passwords in plain-text which is a very, very, bad practice. A simple SQL injection could potentially reveal every stored password.
4. You are sending passwords in plain-text over email which is not necessarily encrypted; this is also a very bad security practice.
5. And most importantly, I still cannot download my evaluation license file. Please let me know what I need to do to get this.
Thank You,
Clayton Shepard
P.S. http://xkcd.com/327/
(I apologize for the typos, noted in brackets. Clearly I removed my plaintext password, IP, and email.)
I guess I just find it ironic, and somewhat amusing, that a technology oriented company has such glaring flaws with their website and security. In their defense they very promptly replied with the license file. Also, the SQL table was just the "ErrorLog", which means they could still be using a hash for the actual passwords somewhere else; arguably this is still a security threat though, since mistyped passwords are likely very close to the original. For obvious reasons I did not try a SQL injection attack, so I can not verify whether or not that is actually a security hole (although my guess is that it is).
On entirely different note, I was unable to get QualNet 4.5 running on Ubuntu 9.04 AMD64 because of library issues. In short they require gcc 4.0 and glibc2.3 or earlier to compile/install. Getting glibc2.3 to run on 9.04 is a huge pain. When asked, their official tech support reply is to use Ubuntu 6.06 :(. Unfortunate.
This reminds of the MSDNAA (MSDN Academic Alliance) website which also sends plaintext passwords in emails. Sigh.
No comments:
Post a Comment