We have patched a potential serious security error which, under very specific circumstances, allow SQL Injection.
The cause of the problem has been sorted and extensively tested ans is now available in the latest zX.dll library, It is important that you obtain and install the latest version as soon as possible.
The cause of the problem has been sorted and extensively tested ans is now available in the latest zX.dll library, It is important that you obtain and install the latest version as soon as possible.
The problem would occur when loading a BO context entry in a logic block / method by group. The where clause would be something like:
:branch=#qs.-branch
Where the branch attribute is numeric (e.g. a long integer).
In this very specific case, the system did not test correctly for the datatype of the right-hand-side of he condition. Imagine #qs.-branch had the value
12; delete from zXUsrPrf;
and that the ODBC / OLE driver would allow multiple statements....
The code that tests for the appropriate datatype of the right-hand-side (or left-hand-side in case of a where clause such as :#qs.-branch=branch) has been fixed.
Happy gate-keeping!
:branch=#qs.-branch
Where the branch attribute is numeric (e.g. a long integer).
In this very specific case, the system did not test correctly for the datatype of the right-hand-side of he condition. Imagine #qs.-branch had the value
12; delete from zXUsrPrf;
and that the ODBC / OLE driver would allow multiple statements....
The code that tests for the appropriate datatype of the right-hand-side (or left-hand-side in case of a where clause such as :#qs.-branch=branch) has been fixed.
Happy gate-keeping!
RSS Feed
