× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. February 2004

RE: Research Project- Sources Outside the AS/400 & How these affe ct security

It's not a platform specific problem.  It's an issue with parameter
substitution, where the parm value is captured from a user prompt.  The
substituted value contains SQL code that alters the original intent of the
underlying statement.

Its effectiveness also depends on the design of the application.  The script
that was being described was an implementation of application security, not
necessarily a logon to the server.  I don't see anything in this that the
as400 is inherently immune to.  

Eric DeLong
Sally Beauty Company
MIS-Project Manager (BSG)
940-898-7863 or ext. 1863



-----Original Message-----
From: Jim Franz [mailto:franz400@xxxxxxxxxxxx]
Sent: Friday, January 30, 2004 8:50 PM
To: Midrange Systems Technical Discussion
Subject: Re: Research Project- Sources Outside the AS/400 & How these
affe ct security


> I have to say I had doubts about this too, but Google turns up quite a few
> articles that explain the problem..

Eric - I followed thru about 40 articles and never found a description
of sql injection and as/400 in the same sentence. The article you referenced
is all about
MySql, Win2000 server, Oracle, etc. You cannot log on to an AS400
with the script mentioned in the article. Now, if you have a windoze pc
front end web server to an AS400 back end database, you better edit
whats coming your way.
Blindly processing a web users entry is not good. I usually replace unusual
characters with blanks, edit all numbers, etc
Why would we edit & validate everything in our corporate apps, then
let strangers around the globe enter unedited data and commands thru
our web screens?
jim
----- Original Message ----- 
From: "DeLong, Eric" <EDeLong@xxxxxxxxxxxxxxx>
To: "'Midrange Systems Technical Discussion'" <midrange-l@xxxxxxxxxxxx>
Sent: Friday, January 30, 2004 5:29 PM
Subject: RE: Research Project- Sources Outside the AS/400 & How these affe
ct security


> Nathan,
>
> I have to say I had doubts about this too, but Google turns up quite a few
> articles that explain the problem..
> http://www.sitepoint.com/article/794/2
>
>
> Eric DeLong
> Sally Beauty Company
> MIS-Project Manager (BSG)
> 940-898-7863 or ext. 1863
>
>
>
> -----Original Message-----
> From: Nathan M. Andelin [mailto:nandel@xxxxxxxxxxxxxxxxxxx]
> Sent: Friday, January 30, 2004 4:13 PM
> To: midrange-l@xxxxxxxxxxxx
> Subject: RE: Research Project- Sources Outside the AS/400 & How these
> affect security
>
>
> > Websites hosted on OS/400 are vulnerable to the
> > same exploits used against other web servers.
> > "SQL injection" is a good example; relying on user
> > code constructing a dynamic website not operating
> > system flaws.
> > The idea is to stick executable statements into
> > variables which will be used to construct webpages
> > and thereby run them with the authority of the web
> > server.
>
> Where do tales like this originate?  Sending an SQL statement to an OS/400
> Web Server in a variable and having it run sounds nearly absurd to me.
The
> Web server itself definitely won't run it.
>
> Someone having Telnet or FTP access and enough authority to install
programs
> on the server could write a CGI program or Servlet to fetch form variables
> and pass them to an SQL processor, but how realistic is that?
>
> Even if such a service were in place, any SQL running under the Web server
> user profile would have access to just about nothing, so the CGI program
or
> Servlet would need to connect to the SQL processor with a more powerful
user
> profile to pack any punch.
>
> I hope you'll become more informed about OS/400 Web services.
>
> Nathan.
>
>
>
> _______________________________________________
> This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
> To post a message email: MIDRANGE-L@xxxxxxxxxxxx
> To subscribe, unsubscribe, or change list options,
> visit: http://lists.midrange.com/mailman/listinfo/midrange-l
> or email: MIDRANGE-L-request@xxxxxxxxxxxx
> Before posting, please take a moment to review the archives
> at http://archive.midrange.com/midrange-l.
>
>
> _______________________________________________
> This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing
list
> To post a message email: MIDRANGE-L@xxxxxxxxxxxx
> To subscribe, unsubscribe, or change list options,
> visit: http://lists.midrange.com/mailman/listinfo/midrange-l
> or email: MIDRANGE-L-request@xxxxxxxxxxxx
> Before posting, please take a moment to review the archives
> at http://archive.midrange.com/midrange-l.
>
>


_______________________________________________
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.