First saw that in Prime Information back in 87. Taking compatability a tad too far.
Mind you if people can get into your systems and add new programs I would think that modifying these items would be the least security problem you'd face! ________________________________ From: [EMAIL PROTECTED] on behalf of u2ug Sent: Fri 10/09/2004 20:34 To: [EMAIL PROTECTED] Subject: [U2] major (?) @var security hole this may be common knowledge , but I stumbled across this yesterday at a client's site and was very surprised / alarmed. if you rely on system variables, @LOGNAME , @WHO in particular, for any kind of security / access control , you may be interested to know that these 'static'/'read only' variables can very easily be modified to contain any values you like - including other user ids and account names. BP TEST 001: ******************************************* 002: * verify current values 003: ******************************************* 004: crt "Before : ":@WHO,@LOGNAME 005: 006: ******************************************* 007: * direct modification of system variables 008: * - bombs in compile [EMAIL PROTECTED] (Read-Only) unexpected ...] 009* * - this is good ! 010: ******************************************* 011: * @LOGNAME="xx" 012: * @WHO="yy" 013: 014: ******************************************* 015: * indirect modification of system variables 016: ******************************************* 017: call SUB(@WHO,@LOGNAME) 018: 019: ******************************************* 020: * verify current values 021: ******************************************* 022: crt "After : ": @WHO,@LOGNAME 023: 024: end BP SUB 001: subroutine SUB(arg1,arg2) 002: arg1="xx" 003: arg2="yy" 004: end >WHO 1234 TESTACCOUNT From TESTUSERID >RUN BP TEST Before : TESTACCOUNT TESTUSERID After : xx yy >WHO 1234 xx From yy notice - not only are these @vars modified within the program but the new values are persisted into the prompt environment as well !!! anyone else see this as a <!!<!!<!!<MAJOR>!!>!!>!!> bug ? gerry ------- u2-users mailing list [EMAIL PROTECTED] To unsubscribe please visit http://listserver.u2ug.org/ The information contained in this email is strictly confidential and for the use of the addressee only, unless otherwise indicated. If you are not the intended recipient, please do not read, copy, use or disclose to others this message or any attachment. Please also notify the sender by replying to this email or by telephone +44 (0)20 7896 0011 and then delete the email and any copies of it. Opinions, conclusions (etc.) that do not relate to the official business of this company shall be understood as neither given nor endorsed by it. IG Markets Limited and IG Index Plc are authorised and regulated by the Financial Services Authority and, in Australia, by the Australian Securities and Investments Commission. [demime 1.01d removed an attachment of type application/ms-tnef which had a name of winmail.dat] ------- u2-users mailing list [EMAIL PROTECTED] To unsubscribe please visit http://listserver.u2ug.org/
