I think we've found that "Remedy automatically escapes commands to the database most of the time", we'll log a bug for that pretty soon now.
Hugo On Jan 2, 2008 9:20 PM, Durrant, Michael M. - ITSD <[EMAIL PROTECTED]> wrote: > Remedy automatically "escapes" commands going to the database so SQL > injection is a moot point. BMC has an excellent white paper entitled > "Security Attacks and AR System" that covers SQL injection, buffer > overruns, privilege elevation, etc. > > -----Original Message----- > From: Action Request System discussion list(ARSList) > [mailto:[EMAIL PROTECTED] On Behalf Of Dwayne Martin > Sent: Wednesday, January 02, 2008 12:48 PM > To: [email protected] > Subject: Remedy and SQL injection attacks > > Hello Everyone, > > Here is an issue I have just become aware of, and am wondering how > Remedy handles the danger, or if it even is a danger. > > It seems that if a web page accepts data input, and uses that data to > query a database, the user can insert a value like: > > "whatever;do something nasty;--". > > Then if the web page uses this value to query the database, the database > will actually perform the "do something nasty" command, which could be > anything from dropping a table to giving somebody administrator > permissions. > > (For a neat little cartoon illustrating this danger see: > http://xkcd.com/327/.) > > So my question is, Does this apply to Remedy data input or queries? > Suppose somebody queries a Remedy form for entries where a particular > field = "whatever;do something nasty;--". Or they enter their name as > "whatever;do something nasty;--"? Will the database do something nasty, > or does Remedy take precautions against it, or is there no danger in the > first place? > > Dwayne Martin > James Madison University > > ________________________________________________________________________ > _______ > UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum > Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are" > The information contained in this email may be privileged, confidential or > otherwise protected from disclosure. All persons are advised that they may > face penalties under state and federal law for sharing this information with > unauthorized individuals. If you received this email in error, please reply > to the sender that you have received this information in error. Also, > please delete this email after replying to the sender. > > > _______________________________________________________________________________ > UNSUBSCRIBE or access ARSlist Archives at www.arslist.org > Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are" > _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are"
