hmm RH7.2 ?unix? when did that promotion happen ? ;-) by 'perfect' do you mean that the @vars were modified or were not modified ?
they are definitely modified on uv10 hpux11 & w2k ----- Original Message ----- From: "George Gallen" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, September 10, 2004 04:12 pm Subject: RE: [U2] major (?) @var security hole > COOOOL. > > On UV10 RH7.2 unix > > The direct bombed in compile, but the indirect worked perferctly > > George > > >-----Original Message----- > >From: [EMAIL PROTECTED] > >[mailto:[EMAIL PROTECTED] > >Sent: Friday, September 10, 2004 3:34 PM > >To: [EMAIL PROTECTED] > >Subject: [U2] major (?) @var security hole > > > > > >this may be common knowledge , but I stumbled across this > >yesterday at a > >client's site and was very surprised / alarmed. > >if you rely on system variables, @LOGNAME , @WHO in > >particular, for any kind > >of security / access control , you may be interested to know that these > >'static'/'read only' variables can very easily be modified to > >contain any > >values you like - including other user ids and account names. > > > >BP TEST > >001: ******************************************* > >002: * verify current values > >003: ******************************************* > >004: crt "Before : ":@WHO,@LOGNAME > >005: > >006: ******************************************* > >007: * direct modification of system variables > >008: * - bombs in compile [EMAIL PROTECTED] (Read-Only) unexpected ...] > >009* * - this is good ! > >010: ******************************************* > >011: * @LOGNAME="xx" > >012: * @WHO="yy" > >013: > >014: ******************************************* > >015: * indirect modification of system variables > >016: ******************************************* > >017: call SUB(@WHO,@LOGNAME) > >018: > >019: ******************************************* > >020: * verify current values > >021: ******************************************* > >022: crt "After : ": @WHO,@LOGNAME > >023: > >024: end > > > > > >BP SUB > >001: subroutine SUB(arg1,arg2) > >002: arg1="xx" > >003: arg2="yy" > >004: end > > > > >WHO > > 1234 TESTACCOUNT From TESTUSERID > > >RUN BP TEST > > Before : TESTACCOUNT TESTUSERID > > After : xx yy > > >WHO > > 1234 xx From yy > > > >notice - not only are these @vars modified within the program > >but the new > >values are persisted into the prompt environment as well !!! > > > >anyone else see this as a <!!<!!<!!<MAJOR>!!>!!>!!> bug ? > > > >gerry > >------- > >u2-users mailing list > >[EMAIL PROTECTED] > >To unsubscribe please visit http://listserver.u2ug.org/ > ------- > u2-users mailing list > [EMAIL PROTECTED] > To unsubscribe please visit http://listserver.u2ug.org/ ------- u2-users mailing list [EMAIL PROTECTED] To unsubscribe please visit http://listserver.u2ug.org/
