Hi.
Is OpenKM protected against SQL Injection? Even in the queries that are in the XML?
Is OpenKM protected against SQL Injection? Even in the queries that are in the XML?
Because information matters
[Security] SQL Injection
- We tried to make OpenKM as intuitive as possible, but an advice is always welcome.
Forum rules: Please, before asking something see the documentation wiki or use the search feature of the forum. And remember we don't have a crystal ball or mental readers, so if you post about an issue tell us which OpenKM are you using and also the browser and operating system version. For more info read How to Report Bugs Effectively.
XPath queries can't modify anything. And respect SQL queries, well we try to make OpenKM as secure as possible bu if you detect any security risk please, notify us!
I was talking about this one:
Code: Select all
I mean, when I'm logging in if I inject SQL the attack will be successful?<module-option name="principalsQuery">select usr_pass as PASSWD from users where usr_id=?</module-option>This is related to JBoss JAAS configuration. If you have problems with this you should try a JBoss forum.
have you tried to make some injection there ? as said paco is a jboss module not OpenKM, probably they open internally the connection as only read, but you must make question in jboss forum.
It'll be very strange you'll discover this bug in Jboss version 4.x and nobody detects in older versions, but all it's possible. Really if you've discovered a secutiry bug jboss team will be pleased you inform about it.
It'll be very strange you'll discover this bug in Jboss version 4.x and nobody detects in older versions, but all it's possible. Really if you've discovered a secutiry bug jboss team will be pleased you inform about it.
I haven't discovered nothing...
I'm using OKM on my school's final project and my teacher is always asking "are you sure this is safe?" "are you sure there are no major bugs ou safety fauls?" yada yada yada ...
So I just made the question because he didn't like to see the query there because according to him, it is awfully unsecure...
I'm using OKM on my school's final project and my teacher is always asking "are you sure this is safe?" "are you sure there are no major bugs ou safety fauls?" yada yada yada ...
So I just made the question because he didn't like to see the query there because according to him, it is awfully unsecure...
I'll be more clear. Only the administrator can accessing to login-config.xml ... in which scenario you're thinking administrator wants to hack himself ? I think has no sence ... this machine has access to some database, administrator has grants to connect from this computer, they don't need jboss-login.xml changes it has grants directly to database.
SQL injection is something diferent, the normal scenario is web ( or other kind of applications, but the idea is the same ), some web form collects data (field_X) that's used in second form as a part of query as:
OpenKM is more secure than you're thinking and all operations made in repository are logged ( we complish fully with spanish data law proteccion ) any operation since a user is logged and has logged out are totally registered. But if you want a high security level, first must configure connections as HTTPS to prevent sniffers in the network ...
90% of security problems comes from a bad password policy, if you test a brute force in your school probably you'll be surprised with results ( depending if have or not some password restrictions ... it's good idea made some mandatory patterns to passwords ). Really for version 5.0 we'll implement some external configurable password pattern validators in concordance with some ISO.
There's no system totally secure, but some minor good practices made it less accessible. I'm 14 years working in computer environment, I've been in both sides, hack a system is not easy as sometimes seeing in cinema, but have a bad practices is really easy, tipical postik in screen with user and pass, etc... sometime I listen a phrase of one of the majors ... "the only secure computer in buried on desert without energy".
I'm feeling young again
SQL injection is something diferent, the normal scenario is web ( or other kind of applications, but the idea is the same ), some web form collects data (field_X) that's used in second form as a part of query as:
Code: Select all
but if programers does queries right like as a select * from table where table_row = $filed_X ( here's is possible make sql injection)Code: Select all
then the injection is not possibleps = preparedStatement(select * from table where table_row =?) ...
ps.setString(1,$field_X)OpenKM is more secure than you're thinking and all operations made in repository are logged ( we complish fully with spanish data law proteccion ) any operation since a user is logged and has logged out are totally registered. But if you want a high security level, first must configure connections as HTTPS to prevent sniffers in the network ...
90% of security problems comes from a bad password policy, if you test a brute force in your school probably you'll be surprised with results ( depending if have or not some password restrictions ... it's good idea made some mandatory patterns to passwords ). Really for version 5.0 we'll implement some external configurable password pattern validators in concordance with some ISO.
There's no system totally secure, but some minor good practices made it less accessible. I'm 14 years working in computer environment, I've been in both sides, hack a system is not easy as sometimes seeing in cinema, but have a bad practices is really easy, tipical postik in screen with user and pass, etc... sometime I listen a phrase of one of the majors ... "the only secure computer in buried on desert without energy".
I'm feeling young again
LOool! I liked this sentence: "the only secure computer in buried on desert without energy" !!
I've been looking to the source code, and yes, i'm surprised.
I'm no long range programmer, I've been studying programming techniques since my 10th grade , so it will be 6 years. But you know, my teacher is kinda stubborn!
Well, if it is needed, i'll show him this post
Thank you all
And keep up the awesome work!
I've been looking to the source code, and yes, i'm surprised.
I'm no long range programmer, I've been studying programming techniques since my 10th grade , so it will be 6 years. But you know, my teacher is kinda stubborn!
Well, if it is needed, i'll show him this post
Thank you all
And keep up the awesome work!