Comments on: Techsoup Hit By SQL Injection Attack

By: Allan Benamer

Allan Benamer — Sat, 16 Aug 2008 08:46:14 +0000

@Donald Lobo: Sorry for the delay in posting your comment — it turns out your comment got sent to spam. WP saw the multiple links and freaked out.

By: Donald Lobo

Donald Lobo — Tue, 12 Aug 2008 21:20:25 +0000

Some tech readers might also be interested in more details at:

http://it.slashdot.org/article.pl?sid=08/08/12/1943217
http://www.trustedsource.org/blog/142/New-SQL-Injection-Attack-Infecting-Machines

Basically a lot of coldfusion / mssql sites are open to attack. You can find more information about the attack by searching for vernyx

By: Allan Benamer

Allan Benamer — Thu, 07 Aug 2008 18:56:26 +0000

@Marnie Webb: Yeah, I’m glad you’re trying to fix it but a security audit can take forever. No way to revert to an old version of the code and data or afraid it would just be attacked again? I really urge and implore you to consider those guidelines for notification. I can’t say how important it is to reach your user community in as many offline ways as possible to ensure that your users are adequately notified.

@Jon Stahl: I guess you’re right. I’m wondering if it’s not already time to switch over to something open source for Techsoup. There are plenty of new frameworks out there for Techsoup to choose but I’m sure there’s a pretty huge sunk cost that they’d have to think about.

That said, Techsoup is a utility in the nonprofit community now. It occupies a central portion of the nonprofit IT director’s time. It needs more uptime and I think an open source community development effort would work. I would think plenty of folks would pitch in to help out if Techsoup’s code was on an SVN or git repository out there.

By: Jon Stahl

Jon Stahl — Thu, 07 Aug 2008 18:31:44 +0000

Disappointing, but sadly, not surprising. Techsoup’s codebase is pretty old, and was written before awareness of these issues was as widespread as it is now.

I wouldn’t be surprised to see a lot more attacks like this in the future against large nonprofit targets, since many of them are running similarly old, large custom apps and are tempting targets.

By: marnie webb

marnie webb — Thu, 07 Aug 2008 12:31:57 +0000

Sorry for the additional comment: we are also keeping http://www.techsoup.org up-to-date so that we can share information as we have it. The full text of the message you quoted is there.

By: marnie webb

marnie webb — Thu, 07 Aug 2008 12:29:19 +0000

Marnie Webb, here, co-CEO of TechSoup. Thanks, Allan, for helping to spread the word and advising users to make password changes (below the portion of our message that you quoted). We will, of course, be providing more information to our users through different channels. However, as we are still working on the issues, we wanted to share as quickly as possible and so posted the information on our landing page.