Re: dumb++ security

From: Dave Korn (no.spam@my.mailbox.invalid)
Date: 02/22/02 

From: "Dave Korn" <no.spam@my.mailbox.invalid>
Date: Fri, 22 Feb 2002 16:36:42 -0000

"Buffy The Cache Coder" <buffcoder@hotmail.com> wrote in message
news:e3850c89.0202201350.5b2e5e44@posting.google.com...
> Hello.
>
> I need some suggestions on how to make my company's product
> more secure from hackers. Currently our software
> consists of several batch programs that are usually run
> from the commandline.
>
> These programs read username/password from a text file in a
> user's home directory. This information is used into Oracle
> or Sybase database. If the user doesn't have permission
> to connect to either database, the program doesn't run.

  SQL? Do a google search for "SQL injection" and read the
recently-published papers about the subject so you know how to properly
filter user-supplied data. This is *vital*, because without doing so any
access-control you may try to apply can simply be completely sidestepped.

         DaveK 

--
moderator of
alt.talk.rec.soc.biz.news.comp.humanities.meow.misc.moderated.meow
Burn your ID card!  http://www.optional-identity.org.uk/
Help support the campaign, copy this into your .sig!
Proud Member of the Exclusive "I have been plonked by Davee because he
thinks I'm interesting" List Member #<insert number here>
Master of Many Meowing Minions
Holder of the exhalted PF Chang's Crab Wonton Award for kook spankage above
and beyond the call of hilarity.
>
> The powers-that-be will be satisfied if I can have something
> slightly better than looking up a username and password from
> file.  They want something in house for now and can
> be run on NT too.  So what I need is a simple solution,
> but I'm lost for ideas.  Anyhelp?
>
> Also, what about the situation where a user starts
> a server from the commandline which connects to the
> database/some server to perform task A.
>
> How can I ensure that the user has permission to do
> task A?  How can I prevent user who has permissions
> but is now 'evil' from writing their own server,
> logging into the system and doing something bad?
>
> Any suggestions, or what literature to read would
> be good.  Again, they want me to make something in-house,
> and I'm not about to get a PhD in mathematics to
> learn cryptography, if it can be avoided :)
>
> thanks.

Relevant Pages

  • Re: dumb++ security
    ... If the user doesn't have permission ... > to connect to either database, ... Proud Member of the Exclusive "I have been plonked by Davee because he ... > database/some server to perform task A. ...
    (comp.security.misc)
  • Re: WSS 3.0 Search Service
    ... was trying to access the database server to create the search database, ... I changed it to SQL server authentication and it was able ... I keep getting redirected back to the configuration page. ... The application-specific permission settings do not grant Local ...
    (microsoft.public.sharepoint.windowsservices)
  • RE: user permissions
    ... Server 2003): ... permission in both the Sharing permission and Security permission. ... since abc can logon to the server and access the ... database locally, it seems that it has enough security permission. ...
    (microsoft.public.sqlserver.server)
  • Re: dumb++ security
    ... If the user doesn't have permission ... > to connect to either database, ... > database/some server to perform task A. ...
    (comp.security.unix)
  • Re: dumb++ security
    ... If the user doesn't have permission ... > to connect to either database, ... > database/some server to perform task A. ...
    (comp.security.misc)