Bugtraq mailing list archives
All the recent SQL vulnerabilities
From: dps () IO STARGATE CO UK (Duncan Simpson)
Date: Mon, 28 Feb 2000 23:17:32 +0000
Nobody has yet mentioned this yet, so I thought I might. I will refrain from the stored procedures vs. dynamically generated SQL wars (I have used only the latter). SQL has identities and most of the SQL games could be stopped by using a sharply limited indentity to query the database (column, table and database access control is included in standard SQL). Obviously this is not a substitute for programming it properly in the first place but could limit the damage. In particular the code that can be manipulated to change prices in multiple shopping carts (ISS X-Force, 3rd of February) does not need an identity that can change the prices. I suspect the wwwthreads code, RFP2K01 (also 3rd of February), does not need write access for its intended results. Am I missing something or are the database queries not doing the moral equivilent of running everything as root and hoping the, usually sadly lacking, input validation saves the system? If this is completely clueless for servers and cgi programs what makes it somehow acceptable for acessing databases which include serious access controls? Is minimum prviledge no longer a good idea? BTW If the answer to the question above is that the current practice is clueless then I am guilty doing it myself :-) Next time I hopefully use mores clues and the access controls provided. -- Duncan (-: "software industry, the: unique industry where selling substandard goods is legal and you can charge extra for fixing the problems."
Current thread:
- Re: BID 994, MS00-010 (Site Server Commerce Edition non-validated SQL inputs) Bertrand Schmitt (Feb 26)
- Re: BID 994,MS00-010 (Site Server Commerce Edition non-validated SQL inputs) Jefferson Ogata (Feb 28)
- <Possible follow-ups>
- Re: BID 994, MS00-010 (Site Server Commerce Edition non-validated SQL inputs) Smith, Eric V. (Feb 28)
- nmh security update Ruud de Rooij (Feb 28)
- EZshopper version 3.0 - Last followup Servio Medina (Feb 28)
- ht://Dig remote information exposure Geoff Hutchison (Feb 28)
- All the recent SQL vulnerabilities Duncan Simpson (Feb 28)
- HP Omniback remote DoS Jon (Feb 28)
- Re: BID 994, MS00-010 (Site Server Commerce Edition non-validated SQL inputs) Nick Southwell (Feb 29)