mailing list archives
Re: Solved -flaws in e-business designer (eBD)
From: Valdis.Kletnieks () vt edu
Date: Tue, 20 Jun 2006 10:33:08 -0400
On Tue, 20 Jun 2006 09:51:22 +0200, Blanca Pons de Dalmases said:
This could be consider as a bug, but not as a vulnerability, since ALL
the "manager users" have a tool in eBD called SQLManager, that allows
them to send querys against the data base with no need to use SQL
Injection. The "manager users" in eBD are "application developers", and
they can create tables, modify the data, etc., they do not need to use
SQL injection to obtain this, so we can not consider this as a security
Poor thinking, security-wise. This still has a problem - if a remote attacker
can find a way to bypass the authentication and cause an SQL injection, they
can gain control, even if they can't find a way to bypass the authentication
and seize control of the SQLManager tool you provided.
If you need help in understanding why this is a problem, walk into your
boss's office and ask:
"OK, since I know you have tools to create and manage requests for stuff,
there's no problem if I create some requests myself, and trick you into signing
them to authorize doubling my salary and buying me a Porsche, right?"
After all, since he was provided a tool to manage purchase orders, it's
not a vulnerability if a fake one gets created, right? :)
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/