Hello you list people, I joined this list just a few minutes ago in order to ask you all a question. I have not read the archives of the list discussion, so I might be completely off topic. In that case, sorry for my being clumsy. On the other hand, I might be asking a very common or often discussed question. In that case, sorry for my being redundant.
Here's the background: I administer a site in Sweden running Cocoon. Everyone is very happy and there is, as a rule, much rejoicing. Weee. Two days ago I was hacked by a supposedly benign person claiming to make a nation-wide search for sites with obvious security holes. I wrote back and thanked him, and also quickly brought down the servlet for the site. (The guy later replied to my 'thank you' mail and gave me a proposal for a 'patch' for the hole. In my reply, I had to restrain myself a little in order not to tell him where he could put the patch.) Today I have been thinking about what would really patch the security hole. What we're talking about here, by the way, is a phenomenon called 'SQL Injection', a term which should be familiar to every developer of web applications that interface with an SQL database. If you don't know about this security hasard, and your webapp uses SQL, you are through inaction placing your information, and thereby your users, at the mercy of competent (and not so competent) hackers! I refer to the pdf http://www.nextgenss.com/papers/advanced_sql_injection.pdf for more information. Be aware that more than simple removal of 'bad characters' is needed in order to protect oneself fully -- ample examples and reasons are given in the paper. My question, finally: Could future versions of Cocoon protect against this type of 'database rape' -- for example in the class org.apache.cocoon.acting.DatabaseAuthenticatorAction? Would this be a sensible place to put the protection? To me it has the immediate advantage that I don't have to write any extra code -- no, seriously. For every webapp that I write -- and anyone I can think of, for that matter -- this type of protection would be necessary for a login system even to be useful. Why not put the few if statements in DatabaseAuthenticatorAction? Until this question is settled, I will of course have to insert some kind of patch into my webapp. But it would be nice if such controls were done automatically in the future. Thank you for your attention. // Carl Mäsak --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
