On Sat, 31 Mar 2012 21:57:03 -0300, Clark Morris wrote: > >While z/OS is probably immune to executables being introduced from >outside, how vulnerable is a web server to outside attack (Apache, >Websphere, etc.)? Java on the server side is effectively executable >code. If dynamic SQL is allowed, I understand (but don't know for >certain) there are various interesting exploits. There is the story >about little Bobby Tables. SQL injection is apparently a problem that >I would assume could afflict DB2 under some circumstances. In short, >as I understand it, there are some vulnerabilities that do not require >machine language executable code. > While Little Bobby Tables is only a comic strip episode, I'm confident that various forms of code injection have been attempted and likely some have suceeded. Read all the alerts about buffer overruns.
Apache invites coding CGI scripts in Rexx. Such scripts should avoid INTERPRET of a client-supplied string. Validating such a string with a script on the client side is pointless. -- gil ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@bama.ua.edu with the message: INFO IBM-MAIN
