Bob Sneidar wrote:
> Judging by this, simply putting an SQL server behind a web server does
> not really protect the SQL server like some propose. Maybe I'm
> oversimplifying the issue, but it seems they are saying that using
> this method, shell commands can be executed, and that means access to
We had a system interface between a public web server and a SQL database that
ran pre-formed SQL commands.
The table was specified, the variables were typed, the output was processed by
XSLT, etc.
The public server called a function that included the variables and got back
whatever the XSLT p
It is all about input validation. Access to a SQL server is reasonable. Access
to the shell is something that probably should be avoided. In either case you
need to be sure the user/hacker cannot send requests that you do not allow.
Thanks,
Brian
On Jul 16, 2018, 9:51 AM -0500, Bob Sneidar via u
Judging by this, simply putting an SQL server behind a web server does not
really protect the SQL server like some propose. Maybe I'm oversimplifying the
issue, but it seems they are saying that using this method, shell commands can
be executed, and that means access to the sql database can be h
I suspect the paranoid among us already know this, but I didn't realize
it was quite so easy:
https://null-byte.wonderhowto.com/how-to/use-command-injection-pop-reverse-shell-web-server-0185760/
--
Jacqueline Landman Gay | jac...@hyperactivesw.com
HyperActive Software |
