web.sql vulnerability

[aleph1 () DFW NET (Aleph One)]

---------- Forwarded message ----------
Subject: Re: web.sql Alternatives (was Re: web.sql for Netscape Enterprise Server 3.01)
From: bjepson () ids net (Brian Jepson)
Date: Wed, 1 Oct 1997 14:29:51 -0700
Message-ID: <slrn635g69.s8f.bjepson () Sol2-5 ids net>
Newsgroups: comp.databases.sybase


In article <60u5nn$k7c () svna0001 clipper ssb com>, Daniel Pasto wrote:
> Brian Jepson (bjepson () ids net) wrote:
> > One reason to beware of web.sql is that there is a huge security hole in
> > it - I have reported it to both CERT and Sybase. It basically allows
> > attackers to execute arbitrary Perl (and of course system) code by passing
> > a "funny" URL to a .hts file. After I reported this to Sybase, they put in
> > a pseudo-fix that only deflected the exact attack I used to illustrate the
> > hole to them, which is kind of weird.
>
> Please give some details.  At least: is this a problem with WebSQL NSAPI
> installations or just CGI (I don't allow CGI access to WebSQL)?
>
> Dan

Dan,

This is only a problem with web.sql NSAPI. I'm sorry I omitted this detail,
but I'm naturally hesitant to release a lot of details about this. At the
time I discovered the hole, it did not manifest itself with web.sql under CGI.

I'll get in touch with the person at Sybase who I brought this up to
back in July, and see if there's been any progress on it.

FWIW, I did some benchmarks over a year ago that indicated that web.sql
with CGI is very, very slow. If you're going with CGI, you are much better
off with Sybperl.

Regards,

 --
Brian Jepson * (bjepson () ids net) * http://users.ids.net/~bjepson