Sri Amudhanar
Maxys Corporation
Authorized Witango Reseller
Authorized Pervasive, Cisco, HP, Thawte Reseller.
Roland Dumas wrote:
Re: Witango-Talk: Security question I’m slow here. Does this mean that if there is a SQL query in a DirectDBMS Action that it’s protected by this bind dust? Or just New Record and Update Actions?
On 9/22/04 11:34 AM, "Sri Amudhanar" <[EMAIL PROTECTED]> wrote:
One of the lesser talked about features of Witango/Tango server architecture is the advantage of "actions", especially the database actions. According to what I have gleaned over the years (since I don't work for Pervasive or Witango, and I don't have access to the Server source code), the database action appears to "PREPARE" SQL and then "BIND" values to it on the fly, before actually executing the statement. This way quotes and other SQL breaking characters in the field values are prevented from breaking the query. If you attempt to assemble your own SQL query for use in Witango/Tango, PHP (which has no equivalent of a database action), or a Java application etc, SQL hacking is a serious problem that will need to be addressed. Witango/Tango <@BIND **> tags provide a great service here.
For one answer to the question, create a TAF that is used for login, (i.e. searching on userid AND password) and enter the values for userid and password as *'; (star + single-quote + semicolon). If you query breaks the program logic, you have a problem. If it doesn't, your system is innoculated against this kind of SQL injection attack, at least.
As they say, have fun!
Sri Amudhanar
Maxys Corporation
[EMAIL PROTECTED] wrote:
Hello,
this issue is known as "SQL injection" problem, search on google for more
information.
You should use stored proc (if available) or parametized queries, and also
rely on argument checking (B) to avoid completely this security issue.
Hope this helps.
Gauthier
----- Original Message -----
From: "Roland Dumas" <[EMAIL PROTECTED]> <mailto:[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]> <mailto:[EMAIL PROTECTED]>
Sent: Wednesday, September 22, 2004 5:52 PM
Subject: Re: Witango-Talk: Security question
I want the SHORT answer, something like:
A.) If you use witango, a browser-sumitted piece of coding can't affect
the
database, witango, or a visitor who searches and gets the record with the
code.
B.) Holy s**t!: You're an idiot of you doing have a layer in front of a
submit that searches and kills anything that looks like this.....
C.) It is theoretically possible to submit harmful code that might do
this.....
If someone put some SQL in a text field, for instance, what might happen
to
it down the line?
On a prior project, there was a unix head who thought he could break a
witango app by submitting all kinds of junk. He tried and tried and
failed.
He put in SQL, unix commands, and all kinds of noise, but all it did was
store it and show it back to him when he queried. Is that my answer?
I don't need the general theoretical case of a theoretical app, but
witango
as the app server and mysql as the dbms.
On 9/22/04 8:39 AM, "William M.Conlon" <[EMAIL PROTECTED]> <mailto:[EMAIL PROTECTED]> wrote:
Must reading:
http://www.owasp.org/documentation/topten.html
Welcome to the OWASP Top Ten Project
The OWASP Top Ten provides a minimum standard for web application
security. The OWASP Top Ten represents a broad consensus about what the
most critical web application security flaws are. Project members
include a variety of security experts from around the world who have
shared their expertise to produce this list. There are currently
versions in English, French, Japanese, and Korean. A Spanish version is
in the works. We urge all companies to adopt the standard within their
organization and start the process of ensuring that their web
applications do not contain these flaws. Adopting the OWASP Top Ten is
perhaps the most effective first step towards changing the software
development culture within your organization into one that produces
secure code.
On Tuesday, September 21, 2004, at 11:43 PM, Ben Johansen wrote:
Hi Roland,
This is very unlikely; it is more likely that they would try to add sql
statements in the input field.
First of the data type constraints off the database field would
probably
either prevent the saving of the offensive code and will most likely
truncate it.
Even if there is supposedly evil script saved in the data, when pulled
from
the database it is not being viewed in a manner that will execute it.
Plus, most firewalls and antivirus servers and client will block in the
unlikely event that the script is intact.
I have had this attempt happen to me, but the hacker didn't realize
that the
form didn't save to the database but was just emailed to me. I have
view the
code in Outlook without any issues.
Ben Johansen
-----Original Message-----
From: Roland Dumas [mailto:[EMAIL PROTECTED]
Sent: Tuesday, September 21, 2004 8:15 PM
To: [EMAIL PROTECTED]
Subject: Witango-Talk: Security question
Have a client who is asking questions about security. Specifically, if
there
is a field that is entered via web form and then placed in a database,
is
there the possibility that evil scripts can be submitted that will do
evil
things either to the database or to a user reading the content of that
column?
________________________________________________________________________
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
___[ Pub ]____________________________________________________________
Inscrivez-vous gratuitement sur Tandaime, Le site de rencontres !
http://rencontre.rencontres.com/index.php?origine=4
___[ Pub ]____________________________________________________________
Inscrivez-vous gratuitement sur Tandaime, Le site de rencontres !
http://rencontre.rencontres.com/index.php?origine=4
________________________________________________________________________
TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
-----------------------------------------
Roland Dumas
Roberts Information Services
310 W. Bellevue Avenue
San Mateo CA 94402
650-347-1373
415-412-9300 (cell)
[EMAIL PROTECTED]
SMS: http://new.servqual.com/html/sms.tml
________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
-- ****************** Internet Email Confidentiality ***********************
Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone. In such case, you should destroy this message and kindly notify the sender by reply email. Please advise immediately if you or your employer do not consent to Internet email for messages of this kind. Opinions, conclusions and other information in this message that do not relate to the official business of Maxys Corporation or its affiliates shall be understood as neither given nor endorsed by it. **************************************************************************
________________________________________________________________________ TO UNSUBSCRIBE: Go to http://www.witango.com/developer/maillist.taf
