× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. January 2004

RE: Research Project- Sources Outside the AS/400 & How these affe ct security

Nathan,

I have to say I had doubts about this too, but Google turns up quite a few
articles that explain the problem..
http://www.sitepoint.com/article/794/2


Eric DeLong
Sally Beauty Company
MIS-Project Manager (BSG)
940-898-7863 or ext. 1863



-----Original Message-----
From: Nathan M. Andelin [mailto:nandel@xxxxxxxxxxxxxxxxxxx]
Sent: Friday, January 30, 2004 4:13 PM
To: midrange-l@xxxxxxxxxxxx
Subject: RE: Research Project- Sources Outside the AS/400 & How these
affect security


> Websites hosted on OS/400 are vulnerable to the
> same exploits used against other web servers.
> "SQL injection" is a good example; relying on user
> code constructing a dynamic website not operating
> system flaws. 
> The idea is to stick executable statements into
> variables which will be used to construct webpages
> and thereby run them with the authority of the web
> server.

Where do tales like this originate?  Sending an SQL statement to an OS/400
Web Server in a variable and having it run sounds nearly absurd to me.  The
Web server itself definitely won't run it.

Someone having Telnet or FTP access and enough authority to install programs
on the server could write a CGI program or Servlet to fetch form variables
and pass them to an SQL processor, but how realistic is that?

Even if such a service were in place, any SQL running under the Web server
user profile would have access to just about nothing, so the CGI program or
Servlet would need to connect to the SQL processor with a more powerful user
profile to pack any punch.

I hope you'll become more informed about OS/400 Web services.

Nathan.



_______________________________________________
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.

As an Amazon Associate we earn from qualifying purchases.

This thread ...
Follow-Ups:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.