On 21/08/2010 13:04, Yawar Khan wrote: > wesley, no i am not using sql bindings, what are the security holes? > > you havent told me why my sessions are getting mixed up here?
Felix has. p > ________________________________ > From: Wesley Acheson <wesley.ache...@gmail.com> > To: Tomcat Users List <users@tomcat.apache.org> > Sent: Sat, August 21, 2010 3:16:23 PM > Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux > > On Sat, Aug 21, 2010 at 6:54 AM, Yawar Khan <khanya...@yahoo.com> wrote: > >> Chris, you identified a possible sql injection in my code and declaring it >> a >> very bad piece of code. Despite the fact that jdbc does not allow more than >> 1 >> query on this execute function and I am doing fields validation before >> submission of the form. >> >> Javascript / ECMAScript and any client side scripting are completely > by-passable and offer no security. > http://www.xs4all.nl/~sbpoley/webmatters/formval.html > > So field validation doesn't help you. Also anyone can post to your servlets. > > Are you using bindings for your SQL? I see security holes here but don't > have time for a usecase. > > > >> >> Is there another genuine threat or bug that you identified and would like >> to >> share? Please do, I am sharing the udac source code as well, >> >> >> Wesley you comments are also welcome; somebody also asked that what will >> happen >> in case udac.login throws an exception, well exception handling is inside >> this >> class. Sorry but i missed that email so i am unable to name that gentleman >> friend. >> >> package org.mcb.services; >> >> import java.text.*; >> import java.util.*; >> import java.sql.*; >> import javax.servlet.http.HttpSession; >> >> public class udac >> { >> static Connection currentCon = null; >> static ResultSet rs = null; >> >> public static userbean login(userbean bean) { >> //preparing some objects for connection >> Statement stmt = null; >> String userid = bean.getUserId(); >> String password = bean.getPassword(); >> String epass = null; >> String name = null; >> String user_id = null; >> String role_id = null; >> String branch_code = null; >> String last_login = null; >> String role_desc = null; >> try{ >> epass = passwordservices.getInstance().encrypt(password); >> //passwordservices is a class which has functions to ecrypt a >> string and return back the string. >> }catch(Exception e){ >> System.out.println(e); >> } >> String searchQuery = "SELECT a.USER_ID,a.NAME, a.BRANCH_CODE, >> a.PASSWORD, a.LAST_LOGIN_DATE, a.ROLE_ID, b.ROLE_DESC FROM >> LOGIN_INFORMATION a, >> ROLES b WHERE a.ACTIVE = 'A' AND a.ROLE_ID = b.ROLE_ID "; >> searchQuery = searchQuery + "AND LOWER(a.USER_ID) = LOWER('"+ >> userid >> + "') AND a.PASSWORD = '"+epass+"'"; >> try{ >> //connect to DB: connectionmanager is a class which >> contains >> connection functions >> currentCon = connectionmanager.scgm_conn(); >> stmt=currentCon.createStatement(); >> rs = stmt.executeQuery(searchQuery); >> boolean hasdata=false; >> while(rs.next()) { >> hasdata=true; >> name = rs.getString("NAME"); >> user_id = rs.getString("USER_ID"); >> branch_code = rs.getString("BRANCH_CODE"); >> role_id = rs.getString("ROLE_ID"); >> last_login = rs.getString("LAST_LOGIN_DATE"); >> role_desc = rs.getString("ROLE_DESC"); >> bean.setName(name); >> bean.setUserId(user_id); >> bean.setBranch(branch_code); >> bean.setRole(role_id); >> bean.setLastLogin(last_login); >> bean.setRoleDesc(role_desc); >> bean.setValid(true); >> } >> if(!hasdata) { >> System.out.println("Sorry, you are not a registered >> user! >> Please sign up first "+ searchQuery); >> bean.setValid(false); >> } >> }catch (Exception ex){ >> System.out.println("Log In failed: An Exception has occurred! >> " + >> ex); >> } >> //some exception handling >> finally{ >> if (rs != null) { >> try { >> rs.close(); >> } catch (Exception e) {} >> rs = null; >> } >> >> if (stmt != null) { >> try { >> stmt.close(); >> } catch (Exception e) {} >> stmt = null; >> } >> >> if (currentCon != null) { >> try { >> currentCon.close(); >> } catch (Exception e) { >> } >> >> currentCon = null; >> } >> } >> return bean; >> >> } >> } >> >> ysk >> -----Original Message----- >> From: Christopher Schultz [mailto:ch...@christopherschultz.net] >> Sent: Friday, August 20, 2010 3:43 AM >> To: Tomcat Users List >> Subject: Re: Sessions mix-up on Tomcat 6.0.26 on Linux >> > Wesley, > > On 8/19/2010 5:04 PM, Wesley Acheson wrote: >>>> Maybe its just be but I still don't see where uadc is declared or even >>>> imported. > > ...or even used. > > I'm guessing that the bad code exists outside of this login servlet. > > -chris >> --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org >> >> >> >>
0x62590808.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
