[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Gnumed-devel] Re: SQL injection exploits... are we vulnerable?
From: |
Karsten Hilbert |
Subject: |
[Gnumed-devel] Re: SQL injection exploits... are we vulnerable? |
Date: |
Sun, 15 Apr 2007 20:05:26 +0200 |
User-agent: |
Mutt/1.5.13 (2006-08-11) |
Hi Jim,
On Sun, Apr 15, 2007 at 10:19:34AM -0700, Jim Busser wrote:
> The vulnerabilities of SQL injection re getting some extra discussion
> lately, maybe only a "bump" in a known vulnerability on account of
> browser-based cross-site scripting attacks.
Yes, an attack known-to and recognized-by the GNUmed
developers.
Some factoids:
- injection attacks only happen if the values are sent
in-the-query as opposed to alongside with the query for
the server to handle
- which psycopg2 (our database library) does but will change
in the future at which point GNUmed will gain that extra
security transparently
- injection attacks only happen on wrongly/unescaped values
put into queries
- which GNUmed does not do but rather hands *all* values
to psycopg2 which does proper escaping (and thereby
sanitizing)
So, barring bugs in psycopg2's quoting/escaping algorithm, we
aren't vulnerable. And we will transparently become entirely
invulnerable once psycopg2 starts sending values
out-of-query instead of escaping them into the query.
IOW, we did take due action the minimize the risk.
Thanks for the inquiry, though.
Karsten
--
GPG key ID E4071346 @ wwwkeys.pgp.net
E167 67FD A291 2BEA 73BD 4537 78B9 A9F9 E407 1346
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Gnumed-devel] Re: SQL injection exploits... are we vulnerable?,
Karsten Hilbert <=