[Openroad-users] SQL Injection with EA Connection
Pete Rabjohns
PRabjohns at atex.com
Thu Sep 13 18:28:21 EST 2007
Thanks Everyone,
I'd agree that a public feature that allowed this would be a bad idea
unless the SQL that was executed could only be controlled by a DBA or
someone with the right privileges.
Paul, we use something similar already in the application to set other
session attributes, but the problem is that the gateway itself also
issues SQL, so any security settings before you set the application role
would need to include the necessary gateway tables.
As the request is to prototype a security solution I was looking for a
nice easy way of running the command at the right time - which is before
the gateway issues any other SQL. If we have to do it later on, it makes
more tables visible to 'public' users and just makes the configuration a
little more complex.
The ING_SET seems to do more or less what I want for now anyway.
Regards,
Pete
-----Original Message-----
From: openroad-users-bounces at peerlessit.com
[mailto:openroad-users-bounces at peerlessit.com] On Behalf Of Paul White
Sent: 12 September 2007 22:30
To: International OpenROAD Users
Subject: Re: [Openroad-users] SQL Injection with EA Connection
Hi Chris,
I'd vote against any changes which allow SQL to be injected outside of
control of the application. Some of our apps provides a window to the
database which allow the user to freely type SQL and OpenROAD commands
for running offline. These functions are released to specific users and
are fully audited.
I suppose you could issue a sp_setapprole inside direct execute
immediate.
We modify session characteristics with direct execute like this:
select :Lv_ServerClass = ifnull(dbmsinfo('Server_Class'),'');
inquire_sql (Li_RtnStatus = errorno, Lv_Msg = errortext);
if Li_RtnStatus <> 0 then
Lv_Msg = 'Error determining server class. Error=' + Lv_Msg;
elseif Lv_ServerClass = 'MSSQL' then
direct execute immediate 'SET TRANSACTION ISOLATION LEVEL READ
UNCOMMITTED';
commit;
direct execute immediate 'SET LOCK_TIMEOUT 10000';
commit;
direct execute immediate 'SET XACT_ABORT ON';
commit;
elseif Lv_ServerClass = 'Ingres DBMS Server' then
set lockmode session where readlock = nolock, timeout = 10;
commit;
else
-----Original Message-----
From: openroad-users-bounces at peerlessit.com
[mailto:openroad-users-bounces at peerlessit.com] On Behalf Of Chris Clark
Sent: Thursday, 13 September 2007 3:14 AM
To: International OpenROAD Users
Subject: Re: [Openroad-users] SQL Injection with EA Connection
Pete Rabjohns wrote:
>
> Does anyone know of any back door methods to inject some SQL into a
> database connection initiated by Enterprise Access before it does any
> of it's own SQL, or even afterwards.
>
No :-( May be a good feature request.
> , but before it returns control to the OpenROAD application?
>
This could be done with good old ING_SET, so the SQL would be ran before
OpenROAD gives control to frames/scripts. If it is host specific SQL you
would probably need to wrap it in Direct Execute Immediate 'HOST SQL'.
Modifying the application would be the more straight forward option
though.
Hope that helps,
Chris
________________________________________________________________
OpenROAD-Users mailing list
You can maintain your subscription here:
http://www.peerlessit.com/mailman/listinfo/openroad-users
To unsubscribe click on this link
mailto:openroad-users-unsubscribe at peerlessit.com&subject=unsubscribe
To subscribe click on this link
mailto:openroad-users-subscribe at peerlessit.com&subject=subscribe
________________________________________________________________
OpenROAD-Users mailing list
You can maintain your subscription here:
http://www.peerlessit.com/mailman/listinfo/openroad-users
To unsubscribe click on this link
mailto:openroad-users-unsubscribe at peerlessit.com&subject=unsubscribe
To subscribe click on this link
mailto:openroad-users-subscribe at peerlessit.com&subject=subscribe
More information about the Openroad-users
mailing list