Full Disclosure mailing list archives
Re: Solved -flaws in e-business designer (eBD)
From: Valdis.Kletnieks () vt edu
Date: Tue, 20 Jun 2006 10:33:08 -0400
On Tue, 20 Jun 2006 09:51:22 +0200, Blanca Pons de Dalmases said:
This could be consider as a bug, but not as a vulnerability, since ALL the "manager users" have a tool in eBD called SQLManager, that allows them to send querys against the data base with no need to use SQL Injection. The "manager users" in eBD are "application developers", and they can create tables, modify the data, etc., they do not need to use SQL injection to obtain this, so we can not consider this as a security vulnerability.
Poor thinking, security-wise. This still has a problem - if a remote attacker can find a way to bypass the authentication and cause an SQL injection, they can gain control, even if they can't find a way to bypass the authentication and seize control of the SQLManager tool you provided. If you need help in understanding why this is a problem, walk into your boss's office and ask: "OK, since I know you have tools to create and manage requests for stuff, there's no problem if I create some requests myself, and trick you into signing them to authorize doubling my salary and buying me a Porsche, right?" After all, since he was provided a tool to manage purchase orders, it's not a vulnerability if a fake one gets created, right? :)
Attachment:
_bin
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Solved -Several flaws in e-business designer (eBD) Blanca Pons de Dalmases (Jun 16)
- Re: Solved -Several flaws in e-business designer (eBD) Joxean Koret (Jun 16)
- Re: Solved -flaws in e-business designer (eBD) Blanca Pons de Dalmases (Jun 20)
- Re: Solved -flaws in e-business designer (eBD) Joxean Koret (Jun 20)
- scammers paradise (big useless rant) Cardoso (Jun 20)
- Re: Solved -flaws in e-business designer (eBD) Valdis . Kletnieks (Jun 20)
- Re: Solved -flaws in e-business designer (eBD) Blanca Pons de Dalmases (Jun 20)
- Re: Solved -Several flaws in e-business designer (eBD) Joxean Koret (Jun 16)