Remedy automatically "escapes" commands going to the database so SQL injection is a moot point. BMC has an excellent white paper entitled "Security Attacks and AR System" that covers SQL injection, buffer overruns, privilege elevation, etc.
-----Original Message----- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Dwayne Martin Sent: Wednesday, January 02, 2008 12:48 PM To: [email protected] Subject: Remedy and SQL injection attacks Hello Everyone, Here is an issue I have just become aware of, and am wondering how Remedy handles the danger, or if it even is a danger. It seems that if a web page accepts data input, and uses that data to query a database, the user can insert a value like: "whatever;do something nasty;--". Then if the web page uses this value to query the database, the database will actually perform the "do something nasty" command, which could be anything from dropping a table to giving somebody administrator permissions. (For a neat little cartoon illustrating this danger see: http://xkcd.com/327/.) So my question is, Does this apply to Remedy data input or queries? Suppose somebody queries a Remedy form for entries where a particular field = "whatever;do something nasty;--". Or they enter their name as "whatever;do something nasty;--"? Will the database do something nasty, or does Remedy take precautions against it, or is there no danger in the first place? Dwayne Martin James Madison University ________________________________________________________________________ _______ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are" The information contained in this email may be privileged, confidential or otherwise protected from disclosure. All persons are advised that they may face penalties under state and federal law for sharing this information with unauthorized individuals. If you received this email in error, please reply to the sender that you have received this information in error. Also, please delete this email after replying to the sender. _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are"
