mailing list archives
All the recent SQL vulnerabilities
From: dps () IO STARGATE CO UK (Duncan Simpson)
Date: Mon, 28 Feb 2000 23:17:32 +0000
Nobody has yet mentioned this yet, so I thought I might. I will refrain from
the stored procedures vs. dynamically generated SQL wars (I have used only the
SQL has identities and most of the SQL games could be stopped by using a
sharply limited indentity to query the database (column, table and database
access control is included in standard SQL). Obviously this is not a
substitute for programming it properly in the first place but could limit the
In particular the code that can be manipulated to change prices in multiple
shopping carts (ISS X-Force, 3rd of February) does not need an identity that
can change the prices. I suspect the wwwthreads code, RFP2K01 (also 3rd of
February), does not need write access for its intended results. Am I missing
something or are the database queries not doing the moral equivilent of
running everything as root and hoping the, usually sadly lacking, input
validation saves the system?
If this is completely clueless for servers and cgi programs what makes it
somehow acceptable for acessing databases which include serious access
controls? Is minimum prviledge no longer a good idea?
BTW If the answer to the question above is that the current practice is clueless then I am guilty doing it myself :-)
Next time I hopefully use mores clues and the access controls provided.
"software industry, the: unique industry where selling substandard goods is
legal and you can charge extra for fixing the problems."