At 2:16 PM +0100 11/2/07, Johan Peeters wrote:

> I have been looking at an IBM system. If I do something like this
>           ...
>            01 txt                             PIC  X(120)
>            ....
>            string '**'
>              into txt
>            end-string
>            display txt
> I get to see ** on sysout followed by what appears to be selected
> contents of the data section. This strikes me as somewhat worrysome -
> it reminds me of the format string vulnerabilities in C.
> Am I just being paranoid?

A program that improperly releases data due to programmer error is
beyond what I consider to be the realm of security.  To me that is
merely bad programming.

To me the criterion is whether an outsider can cause a program to do
something other than what it does for normal users.  Some secret back
door password that causes organizational secrets to be released would
be a Trojan horse.  A typical method of controlling that is with the
security controls on a database, so only authorized users can read the
"company secret" field, no matter how badly the application programmer
messes up.
Larry Kilgallen
Secure Coding mailing list (SC-L)
List information, subscriptions, etc -
List charter available at -
SC-L is hosted and moderated by KRvW Associates, LLC (
as a free, non-commercial service to the software security community.

Reply via email to