neat! -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of u2ug Sent: Friday, September 10, 2004 3:34 PM To: [EMAIL PROTECTED] Subject: [U2] major (?) @var security hole
this may be common knowledge , but I stumbled across this yesterday at a client's site and was very surprised / alarmed. if you rely on system variables, @LOGNAME , @WHO in particular, for any kind of security / access control , you may be interested to know that these 'static'/'read only' variables can very easily be modified to contain any values you like - including other user ids and account names. BP TEST 001: ******************************************* 002: * verify current values 003: ******************************************* 004: crt "Before : ":@WHO,@LOGNAME 005: 006: ******************************************* 007: * direct modification of system variables 008: * - bombs in compile [EMAIL PROTECTED] (Read-Only) unexpected ...] 009* * - this is good ! 010: ******************************************* 011: * @LOGNAME="xx" 012: * @WHO="yy" 013: 014: ******************************************* 015: * indirect modification of system variables 016: ******************************************* 017: call SUB(@WHO,@LOGNAME) 018: 019: ******************************************* 020: * verify current values 021: ******************************************* 022: crt "After : ": @WHO,@LOGNAME 023: 024: end BP SUB 001: subroutine SUB(arg1,arg2) 002: arg1="xx" 003: arg2="yy" 004: end >WHO 1234 TESTACCOUNT From TESTUSERID >RUN BP TEST Before : TESTACCOUNT TESTUSERID After : xx yy >WHO 1234 xx From yy notice - not only are these @vars modified within the program but the new values are persisted into the prompt environment as well !!! anyone else see this as a <!!<!!<!!<MAJOR>!!>!!>!!> bug ? gerry ------- u2-users mailing list [EMAIL PROTECTED] To unsubscribe please visit http://listserver.u2ug.org/ This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately. ------- u2-users mailing list [EMAIL PROTECTED] To unsubscribe please visit http://listserver.u2ug.org/
