Y'all are a bunch of wankers!

FogBugz Internal Error DB Structure Information

Occasionally, the JoS Forums throw up an error - and the SQL statement that failed is part of the error.

This error does give some idea about the FogBugz DB Structure. Can this information be abused?


SELECT Parent.ixDiscussTopic AS ixDiscussTopic, Parent.sHeadline AS sHeadline, Parent.sFullName AS sFullName, Person.sFullName AS sFullNameAuth, Parent.ixArea as ixArea, Parent.sUniqueID As sUniqueID, Parent.nRemoteIP1 As nRemoteIP1, Parent.nRemoteIP2 As nRemoteIP2, Parent.nRemoteIP3 As nRemoteIP3, sum(CASE WHEN (Child.ixDiscussTopic Is Null Or (Child.ixArea <> ? And Child.sUniqueID <> ? And (Child.nRemoteIP1 <> ? Or Child.nRemoteIP2 <> ? Or Child.nRemoteIP3 <> ?))) THEN 0 ELSE 1 END) as cReplies FROM (DiscussTopic as Parent LEFT JOIN DiscussTopic as Child ON Parent.ixDiscussTopic = Child.ixDiscussTopicParent) LEFT JOIN Person ON Parent.ixPerson = Person.ixPerson WHERE Parent.ixDiscussGroup = ? AND Parent.ixDiscussTopicParent = 0 AND DATEDIFF(day, Parent.dt, '2005-08-24 12:56:40') <= 13 GROUP BY Parent.ixDiscussTopic, Parent.sHeadline, Parent.sFullName, Parent.dt, Parent.ixArea, Person.sFullName, Parent.sUniqueID, Parent.nRemoteIP1, Parent.nRemoteIP2, Parent.nRemoteIP3 ORDER BY Parent.dt
Permalink forThis.Anon 
August 24th, 2005
It gives a pretty good idea of the field naming conventions, so if there's any vulnerability to a SQL injection attack it may cut down the work required to find ineteresting stuff -- I'm guessing Person.sPassword is probably in there somewhere -- and you may be able to pass some duff values into the ASP URL parameter and see some internal forums that you shouldn't be looking at.

One thing it *does* tell us is that whoever designed those tables joins the ranks of the large number of people who completely misunderstood the point of Hungarian notation. :)
Permalink Mat Hall 
August 24th, 2005
If there is a way to interact with the DB out side of what the interface was designed for, yes. But provided that all avenues of interaction with the DB through the user interface are properly locked down, the info is useless.

It generally speaking not a good thing though, because there may be non obvious, non trivial ways to get to the database that the developer missed.
Permalink Eric Debois 
August 24th, 2005
>joins the ranks of the large number of people who

have not read http://www.joelonsoftware.com/articles/FogBugzIII.html
Permalink forThis.Anon 
August 24th, 2005
It's not like you couldn't just get yourself a FogBugz license and see all the same information (and more) in your own install, or anything.
Permalink Kevin 
August 24th, 2005

This topic was orginally posted to the off-topic forum of the
Joel on Software discussion board.

Other topics: August, 2005 Other topics: August, 2005 Recent topics Recent topics