Hi Jim,
On Sun, Apr 15, 2007 at 10:19:34AM -0700, Jim Busser wrote:
> The vulnerabilities of SQL injection re getting some extra discussion
> lately, maybe only a "bump" in a known vulnerability on account of
> browser-based cross-site scripting attacks.
Yes, an attack known-to and recognized-by the GNUmed
developers.
Some factoids:
- injection attacks only happen if the values are sent
in-the-query as opposed to alongside with the query for
the server to handle
- which psycopg2 (our database library) does but will change
in the future at which point GNUmed will gain that extra
security transparently
- injection attacks only happen on wrongly/unescaped values
put into queries
- which GNUmed does not do but rather hands *all* values
to psycopg2 which does proper escaping (and thereby
sanitizing)
So, barring bugs in psycopg2's quoting/escaping algorithm, we
aren't vulnerable. And we will transparently become entirely
invulnerable once psycopg2 starts sending values
out-of-query instead of escaping them into the query.
IOW, we did take due action the minimize the risk.
Thanks for the inquiry, though.
Karsten
--
GPG key ID E4071346 @ wwwkeys.pgp.net
E167 67FD A291 2BEA 73BD 4537 78B9 A9F9 E407 1346
_______________________________________________
Gnumed-devel mailing list
[EMAIL PROTECTED]
http://lists.gnu.org/mailman/listinfo/gnumed-devel
