Occasionally, the JoS Forums throw up an error - and the SQL statement that failed is part of the error.
This error does give some idea about the FogBugz DB Structure. Can this information be abused?
Discuss!
SELECT Parent.ixDiscussTopic AS ixDiscussTopic, Parent.sHeadline AS sHeadline, Parent.sFullName AS sFullName, Person.sFullName AS sFullNameAuth, Parent.ixArea as ixArea, Parent.sUniqueID As sUniqueID, Parent.nRemoteIP1 As nRemoteIP1, Parent.nRemoteIP2 As nRemoteIP2, Parent.nRemoteIP3 As nRemoteIP3, sum(CASE WHEN (Child.ixDiscussTopic Is Null Or (Child.ixArea <> ? And Child.sUniqueID <> ? And (Child.nRemoteIP1 <> ? Or Child.nRemoteIP2 <> ? Or Child.nRemoteIP3 <> ?))) THEN 0 ELSE 1 END) as cReplies FROM (DiscussTopic as Parent LEFT JOIN DiscussTopic as Child ON Parent.ixDiscussTopic = Child.ixDiscussTopicParent) LEFT JOIN Person ON Parent.ixPerson = Person.ixPerson WHERE Parent.ixDiscussGroup = ? AND Parent.ixDiscussTopicParent = 0 AND DATEDIFF(day, Parent.dt, '2005-08-24 12:56:40') <= 13 GROUP BY Parent.ixDiscussTopic, Parent.sHeadline, Parent.sFullName, Parent.dt, Parent.ixArea, Person.sFullName, Parent.sUniqueID, Parent.nRemoteIP1, Parent.nRemoteIP2, Parent.nRemoteIP3 ORDER BY Parent.dt
Daddy's Invisible House
iFAQ
I will do bananas.
Asteroids
Youtube Videos
Deleted Posts Today (∞)
[2] Days Since Muppet erased this area and the tag-line and put something totally unfunny in its place.
Geez, I can't go away from this place for even a day, without disaster happening. Sheesh!
FogBugz Internal Error DB Structure Information
forThis.Anon August 24th, 2005
It gives a pretty good idea of the field naming conventions, so if there's any vulnerability to a SQL injection attack it may cut down the work required to find ineteresting stuff -- I'm guessing Person.sPassword is probably in there somewhere -- and you may be able to pass some duff values into the ASP URL parameter and see some internal forums that you shouldn't be looking at.
One thing it *does* tell us is that whoever designed those tables joins the ranks of the large number of people who completely misunderstood the point of Hungarian notation. :)
One thing it *does* tell us is that whoever designed those tables joins the ranks of the large number of people who completely misunderstood the point of Hungarian notation. :)
If there is a way to interact with the DB out side of what the interface was designed for, yes. But provided that all avenues of interaction with the DB through the user interface are properly locked down, the info is useless.
It generally speaking not a good thing though, because there may be non obvious, non trivial ways to get to the database that the developer missed.
It generally speaking not a good thing though, because there may be non obvious, non trivial ways to get to the database that the developer missed.
Eric Debois August 24th, 2005
>joins the ranks of the large number of people who
have not read http://www.joelonsoftware.com/articles/FogBugzIII.html
have not read http://www.joelonsoftware.com/articles/FogBugzIII.html
forThis.Anon August 24th, 2005
It's not like you couldn't just get yourself a FogBugz license and see all the same information (and more) in your own install, or anything.
Kevin August 24th, 2005
This topic was orginally posted to the off-topic forum of the
Joel on Software discussion board.
Other topics: August, 2005
Recent topics