Re: [Full-disclosure] Solved -flaws in e-business designer (eBD)

On Tue, 20 Jun 2006 09:51:22 +0200, Blanca Pons de Dalmases said:

This could be consider as a bug, but not as a vulnerability, since ALL
the "manager users" have a tool in eBD called SQLManager, that allows
them to send querys against the data base with no need to use SQL
Injection. The "manager users" in eBD are "application developers", and
they can create tables, modify the data, etc., they do not need to use
SQL injection to obtain this, so we can not consider this as a security
vulnerability.

Poor thinking, security-wise. This still has a problem - if a remote attacker
can find a way to bypass the authentication and cause an SQL injection, they
can gain control, even if they can't find a way to bypass the authentication
and seize control of the SQLManager tool you provided.

If you need help in understanding why this is a problem, walk into your
boss's office and ask:

"OK, since I know you have tools to create and manage requests for stuff,
there's no problem if I create some requests myself, and trick you into signing
them to authorize doubling my salary and buying me a Porsche, right?"

After all, since he was provided a tool to manage purchase orders, it's
not a vulnerability if a fake one gets created, right? :)

Attachment: pgp17LpRQp2EU.pgp
Description: PGP signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • Re: Files created when we run Embedded SQL
    ... That option ensures there is no ability for reuse of cursors in the job for that program. ... No matter what, when the service is actively processing, the lock is held; i.e. the conflict exists even w/out pseudo-closed, so the ability to both stop the service and prevent new requests is an effective requirement to avoid the conflict alluded to as origin for wanting to close the files.? ... It would be better to be able to provide the ability to ask the service to either close down the activation group or remove the lock ... QASQRESL is the /routine resolution/ file which is opened and tracked in static storage for the job; i.e. once open, it remains open for the performance benefit, for future function and procedure name resolution activity for SQL processing. ...
    (comp.sys.ibm.as400.misc)
  • Re: SQL Update: How do I get more error information
    ... The data base is a MS Access. ... // Record set for AccountJournalProject view ... // Write it back to the database - if it was changed ... , (SQL ...
    (microsoft.public.data.ado)
  • Re: too much OOP ?
    ... You cannot say that without specifying what kind of requests are planned. ... That assumes that you can with SQL, and that there is no other components. ... that SQL database should never be used. ... downloading some free generic tool for applying logical ...
    (comp.object)
  • Re: how do you handle multiple update request on the database?
    ... I made the assumption that the OP was using an RDBMS like SQL Server, ... requests that come in at the same time to the server. ... Any database will handle #2 fine. ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: ODBC error in inetinfoe.exe
    ... Insure you set your timeouts appropriately so you don't hang the ISAPI ... >I am accessing an SQL database inside an ISAPI filter. ... > requests no errors occur. ...
    (microsoft.public.data.odbc)
Quantcast