Casemaster Technology
  • Home
  • About
    • Business Objects
    • Pageflows
    • Business Rule Language
    • Database Independence
    • Process Control Language
    • Architecture
  • Learn More
  • CaseMaster 2.0 ®
  • Get Involved
  • Resellers
 

Important Security Upgrade

8/9/2014

 
We have patched a potential serious security error which, under very specific circumstances, allow SQL Injection. 

The cause of the problem has been sorted and extensively tested ans is now available in the latest zX.dll library, It is important that you obtain and install the latest version as soon as possible.
The problem would occur when loading a BO context entry in a logic block / method by group. The where clause would be something like:

:branch=#qs.-branch

Where the branch attribute is numeric (e.g. a long integer).

In this very specific case, the system did not test correctly for the datatype of the right-hand-side of he condition. Imagine #qs.-branch had the value 

12; delete from zXUsrPrf;


and that the ODBC / OLE driver would allow multiple statements....

The code that tests for the appropriate datatype of the right-hand-side (or left-hand-side in case of a where clause such as :#qs.-branch=branch) has been fixed.

Happy gate-keeping!

Comments are closed.

    Categories

    All
    Ajax
    Browser Support
    Datasource
    Edit Form
    Email
    Enhancer
    Function Handler
    Javascript
    Logic Blocks
    Mime
    MySQL
    Performance
    Radio Button
    Ref Button
    Security
    SOAP
    SQL
    Tracing
    Url
    XML

    RSS Feed

    Archives

    November 2017
    April 2017
    March 2017
    December 2016
    May 2016
    January 2016
    November 2015
    October 2015
    September 2015
    August 2015
    July 2015
    June 2015
    March 2015
    January 2015
    November 2014
    October 2014
    September 2014
    June 2014
    May 2014
    April 2014

Picture
About CaseMaster®
Learn More
Get Involved
Case Studies
Resellers
Casemaster Technology Ltd 2022©