RAM Error page DB SQL injection
We have a defect right now, it means in the page:
ram/error/error.jsp
will cause the SQL injection problem.
Hence, I want to confirm with the following things:
1) When it show the RAM error page, is the RAM will save any data into RAM DB?
2) If yes, how we can fix the SQL injection problem by prevent user insert any data to attack RAM DB?
Thanks.
ram/error/error.jsp
will cause the SQL injection problem.
Hence, I want to confirm with the following things:
1) When it show the RAM error page, is the RAM will save any data into RAM DB?
2) If yes, how we can fix the SQL injection problem by prevent user insert any data to attack RAM DB?
Thanks.
5 answers
On 6/10/2011 4:38 AM, pantian wrote:
Did you get an error stating that an actual SQL injection had occurred?
Or just that this request could cause one it it had processed?
What exactly was the error message?
If we detect a possible SQL injection then we don't allow it to proceed.
--
Rich Kulp
Rational Asset Manager developer
We have a defect right now, it means in the page:
ram/error/error.jsp
will cause the SQL injection problem.
Did you get an error stating that an actual SQL injection had occurred?
Or just that this request could cause one it it had processed?
What exactly was the error message?
If we detect a possible SQL injection then we don't allow it to proceed.
--
Rich Kulp
Rational Asset Manager developer
Rich,
What we got the defect content like this, our tester using Appscan to find this problem:
being logged in as
appscan modified a post request from
POST /.../ram/error/error.faces
~~~~~~~~cut text~~~~~~~~~~
Content-Type: application/x-www-form-urlencoded
Referer: https://.../ram/error/error.jsp
reqForm%3AreqComments=1234&reqForm%3AokButton=OK&reqForm%3AcancelButton=Cancel&origin=&reqForm=reqForm
to
POST /.../ram/error/error.faces
~~~~~~~~cut text~~~~~~~~~~
Content-Type: application/x-www-form-urlencoded
Referer: https://.../ram/error/error.jsp
reqForm%3AreqComments=1234%27+and+%27f%27%3D%27f&reqForm%3AokButton=OK&reqForm%3AcancelButton=Cancel&origin=&reqForm=reqForm
Set parameter 'reqForm:reqComments's value to '1234%27+and+%27f%27%3D%27f'
Could you please ensure that the appended value WAS NOT added to a SQL query?
This "attack" can be launched against the following parameter on the post request:
reqForm:reqComments
reqForm:okButton
reqForm:cancelButton
reqForm
origin
Do you think we will never get SQL injection passed into our system because your side will not stop its process? Thanks.
What we got the defect content like this, our tester using Appscan to find this problem:
being logged in as
appscan modified a post request from
POST /.../ram/error/error.faces
~~~~~~~~cut text~~~~~~~~~~
Content-Type: application/x-www-form-urlencoded
Referer: https://.../ram/error/error.jsp
reqForm%3AreqComments=1234&reqForm%3AokButton=OK&reqForm%3AcancelButton=Cancel&origin=&reqForm=reqForm
to
POST /.../ram/error/error.faces
~~~~~~~~cut text~~~~~~~~~~
Content-Type: application/x-www-form-urlencoded
Referer: https://.../ram/error/error.jsp
reqForm%3AreqComments=1234%27+and+%27f%27%3D%27f&reqForm%3AokButton=OK&reqForm%3AcancelButton=Cancel&origin=&reqForm=reqForm
Set parameter 'reqForm:reqComments's value to '1234%27+and+%27f%27%3D%27f'
Could you please ensure that the appended value WAS NOT added to a SQL query?
This "attack" can be launched against the following parameter on the post request:
reqForm:reqComments
reqForm:okButton
reqForm:cancelButton
reqForm
origin
Do you think we will never get SQL injection passed into our system because your side will not stop its process? Thanks.
On 6/10/2011 10:53 PM, pantian wrote:
Hi,
Don't solely rely on Appscan. What Appscan does is show potential
problems. Appscan is a great useful tool, but it knows nothing about the
internal coding.
For instance, we don't put any user values into SQL except as parameter
values in prepared statements, which are not susceptible to SQL injection.
We run Appscan regularly on each release to find new potential exposures
and we fix them. But Appscan returns many "exposures" that are not
really exposures and should be ignored. And only the developers know if
an the answer is a real exposure or not.
It's like a doctor doing a full-body MRI. In practically everyone the
MRI will show multiple suspicious spots. It is up to the trained doctors
to know which are false positives and which are real.
--
Rich Kulp
Rational Asset Manager developer
Rich,
What we got the defect content like this, our tester using Appscan to
find this problem:
Hi,
Don't solely rely on Appscan. What Appscan does is show potential
problems. Appscan is a great useful tool, but it knows nothing about the
internal coding.
For instance, we don't put any user values into SQL except as parameter
values in prepared statements, which are not susceptible to SQL injection.
We run Appscan regularly on each release to find new potential exposures
and we fix them. But Appscan returns many "exposures" that are not
really exposures and should be ignored. And only the developers know if
an the answer is a real exposure or not.
It's like a doctor doing a full-body MRI. In practically everyone the
MRI will show multiple suspicious spots. It is up to the trained doctors
to know which are false positives and which are real.
--
Rich Kulp
Rational Asset Manager developer
There is not an SQL injection problem on the error page. RAM has been through a very thorough security audit and no SQL injection issues have been found.
The error page (especially in earlier versions of RAM) was prone to producing false positives in AppScan. This is because the error page may display back some of the invalid input, such as "'xyz' is not valid input for the field 'name'". The information is never stored in the database, but when AppScan sees the text it entered reflected in the page it raises the warning so that a human can investigate whether or not there is an issue.
If you want to reduce these false positives, there are some additional security settings you should enable in RAM. Navigate to the advanced configuration page located at https://<server>/ram/admin/repository/advancedConfiguration.faces and uncheck both 'Display stack trace information on the Rational Asset Manager error page.' and 'Display detailed error messages on the Rational Asset Manager error page.' under the 'Logs' section. Unchecking these tells RAM to display a generic error message on the error page and only print detailed information in the logs. This is the default behavior in 7.5.0.2.
There are some additional options you may wish to enable under the 'Security' section on the advanced configuration page that allow you to disable javascript in rich text fields and display warning messages when a user downloads a file.
The error page (especially in earlier versions of RAM) was prone to producing false positives in AppScan. This is because the error page may display back some of the invalid input, such as "'xyz' is not valid input for the field 'name'". The information is never stored in the database, but when AppScan sees the text it entered reflected in the page it raises the warning so that a human can investigate whether or not there is an issue.
If you want to reduce these false positives, there are some additional security settings you should enable in RAM. Navigate to the advanced configuration page located at https://<server>/ram/admin/repository/advancedConfiguration.faces and uncheck both 'Display stack trace information on the Rational Asset Manager error page.' and 'Display detailed error messages on the Rational Asset Manager error page.' under the 'Logs' section. Unchecking these tells RAM to display a generic error message on the error page and only print detailed information in the logs. This is the default behavior in 7.5.0.2.
There are some additional options you may wish to enable under the 'Security' section on the advanced configuration page that allow you to disable javascript in rich text fields and display warning messages when a user downloads a file.