× The internal search function is temporarily non-functional. The current search engine is no longer viable and we are researching alternatives.
As a stop gap measure, we are using Google's custom search engine service.
If you know of an easy to use, open source, search engine ... please contact support@midrange.com.


  1.  Home
  2. MIDRANGE-L
  3. April 2013

Re: IBM i web security (was SSL public facing web site)

Yes, valid point which I already mentioned in my original post.

Just very rare for the way dynamic SQL and RPG work (or maybe how I build
my SQL.. lol, I've tested it against injection with zero success).

And no firewall, DMZ, etc is going to help ignorant programming. :)

Brad
www.bvstools.com


On Tue, Apr 23, 2013 at 3:26 PM, Raul A. Jager W. <raul@xxxxxxxxxx> wrote:

There is an easy way, use PHP, without checking the request. :-)

In RPG you can use "static SQL" or dinamic. The static will be analized
by the pre-compiler and translated to requests to the QSL engin. If a
char field has a SQL instruction, it will be treates as data, not executed.

With dinamic SQL you build a string and pass it to the SQL when you run
the program. If the string is buildt using data suplied by the user, it
is vulnerable to "SQL injection"

Bradley Stone wrote:

Does anyone have an example of manipulating data, running programs,
compromising security, etc on web server running on an IBM i, or is it
purely speculative (or improper setup of the Apache config file, network
mapping, programming, etc?)

I know on other systems there are SQL exploits where you can try to pass
SQL statements into form fields but in my testing on applications (that
I've created that use SQL) I couldn't cause this issue. I've even read
recently where there are loopholes in things like Ruby on Rails, but I'm
mainly talking about CGI programs written with RPG and the pbApache server
running on the IBM i.

I'm not asking for strawman arguments. We can assume that the config file
is set up properly, the port mapping is correct, etc. I would even be
happy to provide a sample apache config file. Port 80 and/or 443 are the
only ports mapped to the i, etc.

I guess what I'm looking for, as are others I'm sure, are some examples on
how things could go wrong instead of simple speculation.

(sounds like a Friday question! hehe...)

Brad
www.bvstools.com



--
This is the Midrange Systems Technical Discussion (MIDRANGE-L) mailing list
To post a message email: MIDRANGE-L@xxxxxxxxxxxx
To subscribe, unsubscribe, or change list options,
visit: http://lists.midrange.com/mailman/listinfo/midrange-l
or email: MIDRANGE-L-request@xxxxxxxxxxxx
Before posting, please take a moment to review the archives
at http://archive.midrange.com/midrange-l.



As an Amazon Associate we earn from qualifying purchases.

This thread ...
Replies:
Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.