Thanks, David, Joe, and Michael. I downloaded and read the white paper, and feel much more secure.
Dwayne ---- Original message ---- >Date: Wed, 2 Jan 2008 12:44:58 -0800 >From: "Easter, David" <[EMAIL PROTECTED]> >Subject: Re: Remedy and SQL injection attacks >To: [email protected] > >The URL for the white paper, btw, is: > >http://www.bmc.com/supportu/documents/40/63/84063/84063.pdf > >-David J. Easter >Sr. Product Manager, Service Management Business Unit >BMC Software, Inc. > >The opinions, statements, and/or suggested courses of action expressed >in this E-mail do not necessarily reflect those of BMC Software, Inc. >My voluntary participation in this forum is not intended to convey a >role as a spokesperson, liaison or public relations representative for >BMC Software, Inc. > >-----Original Message----- >From: Action Request System discussion list(ARSList) >[mailto:[EMAIL PROTECTED] On Behalf Of Durrant, Michael M. - ITSD >Sent: Wednesday, January 02, 2008 12:21 PM >To: [email protected] >Subject: Re: Remedy and SQL injection attacks > >Remedy automatically "escapes" commands going to the database so SQL >injection is a moot point. BMC has an excellent white paper entitled >"Security Attacks and AR System" that covers SQL injection, buffer >overruns, privilege elevation, etc. > >-----Original Message----- >From: Action Request System discussion list(ARSList) >[mailto:[EMAIL PROTECTED] On Behalf Of Dwayne Martin >Sent: Wednesday, January 02, 2008 12:48 PM >To: [email protected] >Subject: Remedy and SQL injection attacks > >Hello Everyone, > >Here is an issue I have just become aware of, and am wondering how >Remedy handles the danger, or if it even is a danger. > >It seems that if a web page accepts data input, and uses that data to >query a database, the user can insert a value like: > >"whatever;do something nasty;--". > >Then if the web page uses this value to query the database, the database >will actually perform the "do something nasty" command, which could be >anything from dropping a table to giving somebody administrator >permissions. > >(For a neat little cartoon illustrating this danger see: >http://xkcd.com/327/.) > >So my question is, Does this apply to Remedy data input or queries? >Suppose somebody queries a Remedy form for entries where a particular >field = "whatever;do something nasty;--". Or they enter their name as >"whatever;do something nasty;--"? Will the database do something nasty, >or does Remedy take precautions against it, or is there no danger in the >first place? > >Dwayne Martin >James Madison University > >________________________________________________________________________ >_______ >UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum >Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are" >The information contained in this email may be privileged, confidential >or otherwise protected from disclosure. All persons are advised that >they may face penalties under state and federal law for sharing this >information with unauthorized individuals. If you received this email >in error, please reply to the sender that you have received this >information in error. Also, please delete this email after replying to >the sender. > >________________________________________________________________________ >_______ >UNSUBSCRIBE or access ARSlist Archives at www.arslist.org >Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are" > >_______________________________________________________________________________ >UNSUBSCRIBE or access ARSlist Archives at www.arslist.org >Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are" _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are"
