Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 637402 (sqlninja) - Review Request: sqlninja - A tool for SQL server injection and takeover
Summary: Review Request: sqlninja - A tool for SQL server injection and takeover
Keywords:
Status: CLOSED ERRATA
Alias: sqlninja
Product: Fedora
Classification: Fedora
Component: Package Review
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Hicham HAOUARI
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: perl-NetPacket
Blocks: FE-SECLAB
TreeView+ depends on / blocked
 
Reported: 2010-09-25 14:31 UTC by Arun S A G
Modified: 2014-09-26 12:03 UTC (History)
11 users (show)

Fixed In Version: sqlninja-0.2.6-0.2.rc2.fc16
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-09-25 03:31:39 UTC
Type: ---
Embargoed:
hicham.haouari: fedora-review+
gwync: fedora-cvs+


Attachments (Terms of Use)

Description Arun S A G 2010-09-25 14:31:27 UTC
Spec URL: http://sagarun.fedorapeople.org/SPECS/sqlninja.spec
SRPM URL: http://sagarun.fedorapeople.org/SRPMS/sqlninja-0.2.5-1.fc13.src.rpm
Description: 
Sqlninja is a tool targeted to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end. Its main goal
is to provide remote access to vulnerable DB server.

Comment 1 Hicham HAOUARI 2010-09-29 21:49:24 UTC
As per our discussion on IRC, I will look If the binary can be built on Fedora. Otherwise, I don't think we can ship them.

Comment 2 Arun S A G 2010-09-30 18:30:24 UTC
Now binaries are no longer included.

Spec URL: http://sagarun.fedorapeople.org/SPECS/sqlninja.spec
SRPM URL: http://sagarun.fedorapeople.org/SRPMS/sqlninja-0.2.5-2.fc13.src.rpm

Comment 3 Arun S A G 2010-10-04 02:18:56 UTC
Ok , i removed all the binary files. What about including text files in http://sqlninja.svn.sourceforge.net/viewvc/sqlninja/scripts/ ? Any clues? Is it allowed to include those *.scr files?

Comment 4 Hicham HAOUARI 2010-10-04 09:21:23 UTC
I would like to have Fedora Legal point of view on this before starting a review. Maybe we should cc spot.

Comment 5 Arun S A G 2010-10-04 20:41:49 UTC
(In reply to comment #4)
> I would like to have Fedora Legal point of view on this before starting a
> review. Maybe we should cc spot.

Yes. Please do. How long it takes for Fedora-Legal folks to respond?

Comment 6 Arun S A G 2010-10-16 15:15:04 UTC
ping.

Comment 7 Hicham HAOUARI 2010-10-17 16:43:14 UTC
No answer from FE-LEGAL yet.

Comment 8 d. johnson 2010-11-14 05:28:10 UTC
See https://fedoraproject.org/wiki/Meeting:Board_meeting_2010-11-08#Basic_Information_2 for reference.

"# We won't allow the SQLninja package to be added to Fedora. (unanimous) "

Comment 9 Arun S A G 2010-11-14 06:08:20 UTC
(In reply to comment #8)
> See
> https://fedoraproject.org/wiki/Meeting:Board_meeting_2010-11-08#Basic_Information_2
> for reference.
> 
> "# We won't allow the SQLninja package to be added to Fedora. (unanimous) "

Ok.

Comment 10 Tom "spot" Callaway 2010-11-15 13:58:18 UTC
Reopening, as it is likely that the board will consider this again.

Comment 11 Tom "spot" Callaway 2011-02-21 21:42:25 UTC
Upon further review, the Legal block on sqlninja is lifted.

Comment 12 Hicham HAOUARI 2011-02-21 23:59:54 UTC
Thank you spot, I will review this package ASAP

Comment 13 Hicham HAOUARI 2011-02-22 01:09:51 UTC
@Arun,

Did you try to build the winodws binaries using mingw ?

Comment 14 Hicham HAOUARI 2011-02-22 02:17:51 UTC
hmm, Churrasco binary depends on DTC stuff which can't be shipped in fedora.

Comment 15 Hicham HAOUARI 2011-03-21 23:51:35 UTC
@Arun,

The software would be still useful without the binaries ?

Comment 16 Arun S A G 2011-03-22 03:24:31 UTC
(In reply to comment #15)
> @Arun,
> 
> The software would be still useful without the binaries ?

Yes! The software supports multiple modes, one of the mode is upload mode. Binaries are required for only upload mode. If the user wants to use upload mode, he can manually download these binaries.

Also please look into the scripts directory, the files under the scripts directory qualify as a binary?

Comment 17 Hicham HAOUARI 2011-03-22 11:27:23 UTC
(In reply to comment #16)
> (In reply to comment #15)
> > @Arun,
> > 
> > The software would be still useful without the binaries ?
> 
> Yes! The software supports multiple modes, one of the mode is upload mode.
> Binaries are required for only upload mode. If the user wants to use upload
> mode, he can manually download these binaries.
> 
> Also please look into the scripts directory, the files under the scripts
> directory qualify as a binary?

Of course not.

I am not sure if the tarball needs to be cleaned up from the binaries though, I will look more into that.

Comment 18 Hicham HAOUARI 2011-06-14 14:22:09 UTC
* BuildRoot and %clean are no longer needed unless you want use the spec in EPEL
* %{_sysconfdir}/%{name}.conf is listed twice
* License is GPLv2+
* Only Churrasco source have unclear license, so we need to ship a cleaned up tarball
* The other two binaries can be built on Fedora, and thus can be shipped, I will help with that if needed

Comment 19 Arun S A G 2011-07-03 12:33:31 UTC
Hi Hicham,

I reviewed this package. 

1. There seems to be a mismatch in fsf address, i have asked the upstream to fix that https://sourceforge.net/tracker/?func=detail&aid=3351225&group_id=152677&atid=785062

2. I don't see source code for nc.exe (netcat). 

How are you planning on to cross compile the payloads? mingw32?

Comment 21 Hicham HAOUARI 2011-07-10 10:46:44 UTC
(In reply to comment #19)
> Hi Hicham,
> 
> I reviewed this package. 
> 
> 1. There seems to be a mismatch in fsf address, i have asked the upstream to
> fix that
> https://sourceforge.net/tracker/?func=detail&aid=3351225&group_id=152677&atid=785062
> 
> 2. I don't see source code for nc.exe (netcat). 
> 
> How are you planning on to cross compile the payloads? mingw32?

Yes, and it will be a separate package

Comment 22 Arun S A G 2011-08-26 05:35:51 UTC
ping?

Comment 23 Hicham HAOUARI 2011-08-26 13:49:03 UTC
(In reply to comment #22)
> ping?

The spec looks fine. So it is

APPROVED

Comment 24 Arun S A G 2011-08-26 18:04:50 UTC
New Package SCM Request
=======================
Package Name: sqlninja
Short Description: A tool for SQL server injection and takeover
Owners: sagarun
Branches: F-14 F-15 F-16
InitialCC: shakthimaan

Comment 25 Gwyn Ciesla 2011-08-26 18:35:13 UTC
Git done (by process-git-requests).

Comment 26 Fedora Update System 2011-09-04 05:08:16 UTC
sqlninja-0.2.6-0.2.rc2.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/sqlninja-0.2.6-0.2.rc2.fc14

Comment 27 Fedora Update System 2011-09-04 05:09:40 UTC
sqlninja-0.2.6-0.2.rc2.fc15 has been submitted as an update for Fedora 15.
https://admin.fedoraproject.org/updates/sqlninja-0.2.6-0.2.rc2.fc15

Comment 28 Fedora Update System 2011-09-04 05:10:50 UTC
sqlninja-0.2.6-0.2.rc2.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/sqlninja-0.2.6-0.2.rc2.fc16

Comment 29 Fedora Update System 2011-09-06 18:11:05 UTC
sqlninja-0.2.6-0.2.rc2.fc16 has been pushed to the Fedora 16 testing repository.

Comment 30 Fedora Update System 2011-09-25 03:31:32 UTC
sqlninja-0.2.6-0.2.rc2.fc14 has been pushed to the Fedora 14 stable repository.

Comment 31 Fedora Update System 2011-09-25 03:51:23 UTC
sqlninja-0.2.6-0.2.rc2.fc15 has been pushed to the Fedora 15 stable repository.

Comment 32 Fedora Update System 2011-09-30 18:42:45 UTC
sqlninja-0.2.6-0.2.rc2.fc16 has been pushed to the Fedora 16 stable repository.

Comment 33 Fabian Affolter 2014-09-25 19:10:57 UTC
Package Change Request
======================
Package Name: sqlninja
New Branches: el6 epel7
Owners: fab
InitialCC:

Comment 34 Gwyn Ciesla 2014-09-26 12:03:05 UTC
Git done (by process-git-requests).


Note You need to log in before you can comment on or make changes to this bug.