|
> Websites hosted on OS/400 are vulnerable to the > same exploits used against other web servers. > "SQL injection" is a good example; relying on user > code constructing a dynamic website not operating > system flaws. > The idea is to stick executable statements into > variables which will be used to construct webpages > and thereby run them with the authority of the web > server. Where do tales like this originate? Sending an SQL statement to an OS/400 Web Server in a variable and having it run sounds nearly absurd to me. The Web server itself definitely won't run it. Someone having Telnet or FTP access and enough authority to install programs on the server could write a CGI program or Servlet to fetch form variables and pass them to an SQL processor, but how realistic is that? Even if such a service were in place, any SQL running under the Web server user profile would have access to just about nothing, so the CGI program or Servlet would need to connect to the SQL processor with a more powerful user profile to pack any punch. I hope you'll become more informed about OS/400 Web services. Nathan.
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
