[ic] IC Security Issue. -- Searching
Kevin Walsh
kevin at cursor.biz
Fri May 6 18:31:32 EDT 2005
john [ic at uc9.net] wrote:
> I do see
> from the docs, that I can set a hidden field of a SQL query. Is that not
> insecure. I relize that SAFE prevents someone from doing a delete or
> update. But why could someone not do a "select * from userdb" or even
> worse "select username as sku,password as comment from ..." that would
> fill the search page with the passwords.
>
> Does anyone see a way around this, is this a bug?
>
If you can make that happen then it's a security bug. :-)
In theory, tables listed in the NoSearch list (userdb by default)
should be trapped. Please let me know off-list if (and how) you manage
to get a password list from a URI-based search and I'll get right on it.
--
_/ _/ _/_/_/_/ _/ _/ _/_/_/ _/ _/
_/_/_/ _/_/ _/ _/ _/ _/_/ _/ K e v i n W a l s h
_/ _/ _/ _/ _/ _/ _/ _/_/ kevin at cursor.biz
_/ _/ _/_/_/_/ _/ _/_/_/ _/ _/
More information about the interchange-users
mailing list