cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Carl Mäsak <>
Subject A case of SQL injection
Date Mon, 04 Nov 2002 23:26:02 GMT
Hello you list people,

I joined this list just a few minutes ago in order to ask you all a
question. I have not read the archives of the list discussion, so I might
be completely off topic. In that case, sorry for my being clumsy. On the
other hand, I might be asking a very common or often discussed question.
In that case, sorry for my being redundant.

Here's the background: I administer a site in Sweden running Cocoon.
Everyone is very happy and there is, as a rule, much rejoicing. Weee.

Two days ago I was hacked by a supposedly benign person claiming to make a
nation-wide search for sites with obvious security holes. I wrote back and
thanked him, and also quickly brought down the servlet for the site.

(The guy later replied to my 'thank you' mail and gave me a proposal for a
'patch' for the hole. In my reply, I had to restrain myself a little in
order not to tell him where he could put the patch.)

Today I have been thinking about what would really patch the security
hole. What we're talking about here, by the way, is a phenomenon called
'SQL Injection', a term which should be familiar to every developer of web
applications that interface with an SQL database. If you don't know about
this security hasard, and your webapp uses SQL, you are through inaction
placing your information, and thereby your users, at the mercy of
competent (and not so competent) hackers!

I refer to the pdf

for more information. Be aware that more than simple removal of 'bad
characters' is needed in order to protect oneself fully -- ample examples
and reasons are given in the paper.

My question, finally: Could future versions of Cocoon protect against this
type of 'database rape' -- for example in the class
org.apache.cocoon.acting.DatabaseAuthenticatorAction? Would this be a
sensible place to put the protection? To me it has the immediate advantage
that I don't have to write any extra code -- no, seriously. For every
webapp that I write -- and anyone I can think of, for that matter -- this
type of protection would be necessary for a login system even to be
useful. Why not put the few if statements in DatabaseAuthenticatorAction?

Until this question is settled, I will of course have to insert some kind
of patch into my webapp. But it would be nice if such controls were done
automatically in the future.

Thank you for your attention.

// Carl Mäsak

To unsubscribe, e-mail:
For additional commands, email:

View raw message