cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Geoff Howard <cocoonge...@yahoo.com>
Subject RE: A case of SQL injection
Date Tue, 05 Nov 2002 20:38:01 GMT
I just tried it.  Logging in as   

Donald Ball'; DROP TABLE employee;

does exactly what you think it would.  It drops the
table and the next time you try to log in, the table
is gone and logins fail (DOH - does the hsql db get
regenerated automatically somehow?) 

I have to run out but will put this in Bugzilla later.
 

This combined with the fact that the mod-db stuff
almost forces you to reveal your actual table and
column names to the world in your request parameters
amounts to big trouble.

Geoff

--- Torsten Curdt <tcurdt@dff.st> wrote:
> On Tue, 2002-11-05 at 19:53, Geoff Howard wrote:
> > Speaking of protecting against SQL injection - is
> it
> > generally known that
> DatabaseAuthenticatorAction.java
> > is not using PreparedStatement?  I wonder what
> logging
> > in as 
> > Donald Ball'; DROP TABLE user_table;
> > 
> > would do...?
> 
> Do you mind trying out and file a bug in bugzilla?
> ;)
> --
> Torsten
> 
> 
>
---------------------------------------------------------------------
> To unsubscribe, e-mail:
> cocoon-dev-unsubscribe@xml.apache.org
> For additional commands, email:
> cocoon-dev-help@xml.apache.org
> 


__________________________________________________
Do you Yahoo!?
HotJobs - Search new jobs daily now
http://hotjobs.yahoo.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: cocoon-dev-unsubscribe@xml.apache.org
For additional commands, email: cocoon-dev-help@xml.apache.org


Mime
View raw message