[Tizen Application-dev] Security vulnerabilities in WebApp is detected.
phanchet at jaguarlandrover.com
Wed Sep 11 15:37:20 GMT 2013
Your attached file seems to have been lost to the list...
A classic SQL vulnerabilitiy that can be detected automatically is not
using prepared SQL statements rather than an exec query. Here's an article
that shows examples of both:
The reason to use prepared statements is *not* speed but rather security:
Using prepared statements there is no way I can change the prepared SQL
statement into anotherthat command; it's relatively easy to do with an
exec, if I can control some portion of the data inserted into the exec
(usually through concatenation).
Just a thought.
MSX on behalf of Jaguar Land Rover
One World Trade Center, 121 Southwest Salmon Street, 11th Floor, Portland,
Email: phanchet at jaguarlandrover.com
Jaguar Land Rover Limited
Registered Office: Abbey Road, Whitley, Coventry CV3 4LF
Registered in England No: 1672070
On Tue, Sep 10, 2013 at 9:33 PM, Вячеслав Зайцев <slava at ifaced.ru> wrote:
> Hi. Problem with certification. Application rejected with defect "Security
> vulnerabilities in WebApp is detected. For more information about the
> issue, please refer to the attached file.". Attached file is a list of
> methods from JayData library with name "executeQuery" and the line number
> in the file. Example:
> cmd.executeQuery [SqLiteProvider.js]
> sqlCommand.executeQuery [SqLiteProvider.js]
> [IndexedDbProvider.min.js, IndexedDbProvider.js]
> f.storageProvider.executeQuery [jaydata.min.js]
> command.executeQuery [SqLiteProvider.js]
> e.entityContext.executeQuery [jaydata.min.js]
> data.QueryCache.executeQuery [jaydata.min.js]
> g.executeQuery [SqLiteProvider.min.js]
> a.executeQuery [jaydata.min.js]
> this.entityContext.**executeQuery [jaydata.min.js]
> There is no explanation of category of vulnerabilities and how to
> reproduce it. I think that this is result of automatic code scanner work
> and just a mistake, but in comments to issue no one answered.
> Who ever encountered a problem like this? How to solve?
> Content ID 000000004857
> Defect ID 2218460
> Application-dev mailing list
> Application-dev at lists.tizen.**org <Application-dev at lists.tizen.org>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Application-dev