In article <60u5nn$k7c@svna0001.clipper.ssb.com>, Daniel Pasto wrote:
>Brian Jepson (bjepson@ids.net) wrote:
>> One reason to beware of web.sql is that there is a huge security hole in
>> it - I have reported it to both CERT and Sybase. It basically allows
>> attackers to execute arbitrary Perl (and of course system) code by passing
>> a "funny" URL to a .hts file. After I reported this to Sybase, they put in
>> a pseudo-fix that only deflected the exact attack I used to illustrate the
>> hole to them, which is kind of weird.
>
>Please give some details. At least: is this a problem with WebSQL NSAPI
>installations or just CGI (I don't allow CGI access to WebSQL)?
>
>Dan
Dan,
This is only a problem with web.sql NSAPI. I'm sorry I omitted this detail,
but I'm naturally hesitant to release a lot of details about this. At the
time I discovered the hole, it did not manifest itself with web.sql under CGI.
I'll get in touch with the person at Sybase who I brought this up to
back in July, and see if there's been any progress on it.
FWIW, I did some benchmarks over a year ago that indicated that web.sql
with CGI is very, very slow. If you're going with CGI, you are much better
off with Sybperl.
Regards,
--
Brian Jepson * (bjepson@ids.net) * http://users.ids.net/~bjepson