Is there a white paper (pdf / KB article / whatever) to find more information about this snip from that white paper?
" AR System supports these safeguards: CAPTCHA (Completely Automated Public Turing Test to Tell Computers and Humans Apart) programs to prevent automated attacks Challenge questions Password authentication delay for unpredictable behavior of failed passwords Timed lock-down mode instead of lockouts " -- Carey Matthew Black Remedy Skilled Professional (RSP) ARS = Action Request System(Remedy) Love, then teach Solution = People + Process + Tools Fast, Accurate, Cheap.... Pick two. On Jan 2, 2008 3:44 PM, Easter, David <[EMAIL PROTECTED]> wrote: > The URL for the white paper, btw, is: > > http://www.bmc.com/supportu/documents/40/63/84063/84063.pdf > > -David J. Easter > Sr. Product Manager, Service Management Business Unit > BMC Software, Inc. > > The opinions, statements, and/or suggested courses of action expressed > in this E-mail do not necessarily reflect those of BMC Software, Inc. > My voluntary participation in this forum is not intended to convey a > role as a spokesperson, liaison or public relations representative for > BMC Software, Inc. > > -----Original Message----- > From: Action Request System discussion list(ARSList) > [mailto:[EMAIL PROTECTED] On Behalf Of Dwayne Martin > Sent: Wednesday, January 02, 2008 12:48 PM > To: [email protected] > Subject: Remedy and SQL injection attacks > > Hello Everyone, > > Here is an issue I have just become aware of, and am wondering how > Remedy handles the danger, or if it even is a danger. > > It seems that if a web page accepts data input, and uses that data to > query a database, the user can insert a value like: > > "whatever;do something nasty;--". > > Then if the web page uses this value to query the database, the database > will actually perform the "do something nasty" command, which could be > anything from dropping a table to giving somebody administrator > permissions. > > (For a neat little cartoon illustrating this danger see: > http://xkcd.com/327/.) > > So my question is, Does this apply to Remedy data input or queries? > Suppose somebody queries a Remedy form for entries where a particular > field = "whatever;do something nasty;--". Or they enter their name as > "whatever;do something nasty;--"? Will the database do something nasty, > or does Remedy take precautions against it, or is there no danger in the > first place? > > Dwayne Martin > James Madison University _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are"
