× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.



Websites hosted on OS/400 are vulnerable to the same exploits used against
other web servers.
"SQL injection" is a good example; relying on user code constructing a
dynamic website not operating system flaws. 
The idea is to stick executable statements into variables which will be used
to construct webpages and thereby run them with the authority of the web
server.

For example:
I have a file called Names which has a key field ID and 2 other fields Fname
and Lname.
My website runs an update such as this:
Update names set Lname = '<variable>', Fname = '<variable>' where ID =
<variable>

Now lets say I put in for variable 3 "9; drop table names;" variable 1 is
"Bob" variable 2 is "Smith"     

The statement that gets executed is
Update names set Lname = 'Bob' , Fname = 'Smith' where ID = 9; drop table
names;

Some languages don't allow 2 statements at once (as in this example); but
they are still susceptible - imagine that variable 3 was "9 or ID <> 0".


Obviously checking variables must be done server side to prevent this;
client validation can be overridden by the client. 





-----Original Message-----
From: Rob Phillips [mailto:niceguy420l@xxxxxxxxx] 
Sent: Wednesday, January 28, 2004 9:30 AM
To: Midrange Systems Technical Discussion
Subject: Research Project- Sources Outside the AS/400 & How these affect
security


HI I am looking for any published material or off-the-top-of-your-head real
world knowledge.
In as much detail as possible, to explain to the ultimate network dummy,
myself.
 
Put another way, for testing purposed only, if you wanted to hack an AS/400.
What would you do?

Thanks a zillion, Rob


---------------------------------
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!
_______________________________________________
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx To subscribe, unsubscribe,
or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx Before posting, please take a
moment to review the archives at http://archive.midrange.com/midrange-l.

As an Amazon Associate we earn from qualifying purchases.

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.