> "One of my favorites is the use of the SQL Server system stored > procedure xp_cmdshell to open a command shell, which can be used to > fetch a file from an attacker's FTP server and run it." > > I always knew Dave was a cracker (not hacker!) extraordinaire :-)
Oh, hardly. I didn't discover it myself, I've never used it without explicit permission in order to demonstrate a vulnerability to a client, and I couldn't find a buffer overflow to save my life, due to my poor C/assembler/disassembler skills. Seriously, though, it's unfortunate but true that if you're in the business of developing and deploying open network applications, you have to be aware of the security implications and requirements. It's been my experience that very few people pay adequate attention to this until it's too late. Dave Watts, CTO, Fig Leaf Software http://www.figleaf.com/ voice: (202) 797-5496 fax: (202) 797-5444 ______________________________________________________________________ Signup for the Fusion Authority news alert and keep up with the latest news in ColdFusion and related topics. http://www.fusionauthority.com/signup.cfm FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/[email protected]/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
