[Tizen Application-dev] Security vulnerabilities in WebApp is detected.

Hanchett, Paul phanchet at jaguarlandrover.com
Wed Sep 11 17:16:21 GMT 2013


In datajs-1.0.3.min.js I see a number of exec() calls-- an automated tool
will see these uses of exec as "dangerous" even if you believe you've
written code to sanitize the content.  Our rule of thumb at Aspect was
never to use exec calls if it was avoidable--it's *very* difficult to write
an adequate parameter "cleaner" that can't be gotten around--that is, and
still accept all valid data!

Just sayin'.

Paul



Paul Hanchett
-------------------
Infotainment Engineer
MSX on behalf of Jaguar Land Rover
One World Trade Center, 121 Southwest Salmon Street, 11th Floor, Portland,
Oregon, 97204

Email: phanchet at jaguarlandrover.com
-------------------

Business Details:
Jaguar Land Rover Limited
Registered Office: Abbey Road, Whitley, Coventry CV3 4LF
Registered in England No: 1672070


On Wed, Sep 11, 2013 at 8:52 AM, Вячеслав Зайцев <slava at ifaced.ru> wrote:

>  I know about SQL-Injection, but I do not see it here. Methods from list
> located inside code of JayData library http://jaydata.org/ and its
> developers have taken care of the safety of substituting values within
> library code.
> The application does not contain any plain SQL queries. Everything done
> through models and properly escaped before substituting into raw SQL.
>
> Thx for reply.
>
> 11.09.13, 22:37, Hanchett, Paul пишет:
>
>  Your attached file seems to have been lost to the list...
>
>  A classic SQL vulnerabilitiy that can be detected automatically is not
> using prepared SQL statements rather than an exec query.  Here's an article
> that shows examples of both:
> http://stackoverflow.com/questions/1703203/in-sqlite-do-prepared-statements-really-improve-performance.
>
>
>  The reason to use prepared statements is *not* speed but rather
> security: Using prepared statements there is no way I can change the
> prepared SQL statement into anotherthat  command; it's relatively easy to
> do with an exec, if I can control some portion of the data inserted into
> the exec (usually through concatenation).
>
>  Just a thought.
>
>  Paul
>
>
> Paul Hanchett
> -------------------
> Infotainment Engineer
> MSX on behalf of Jaguar Land Rover
> One World Trade Center, 121 Southwest Salmon Street, 11th Floor, Portland,
> Oregon, 97204
>
> Email: phanchet at jaguarlandrover.com
> -------------------
>
> Business Details:
> Jaguar Land Rover Limited
> Registered Office: Abbey Road, Whitley, Coventry CV3 4LF
> Registered in England No: 1672070
>
>
> On Tue, Sep 10, 2013 at 9:33 PM, Вячеслав Зайцев <slava at ifaced.ru> wrote:
>
>> Hi. Problem with certification. Application rejected with defect
>> "Security vulnerabilities in WebApp is detected. For more information about
>> the issue, please refer to the attached file.". Attached file is a list of
>> methods from JayData library with name "executeQuery" and the line number
>> in the file. Example:
>>
>> cmd.executeQuery [SqLiteProvider.js]
>> sqlCommand.executeQuery [SqLiteProvider.js]
>> operationProvider.storageProvider.executeQuery [IndexedDbProvider.min.js,
>> IndexedDbProvider.js]
>> f.storageProvider.executeQuery [jaydata.min.js]
>> command.executeQuery [SqLiteProvider.js]
>> e.entityContext.executeQuery [jaydata.min.js]
>> data.QueryCache.executeQuery [jaydata.min.js]
>> g.executeQuery [SqLiteProvider.min.js]
>> a.executeQuery [jaydata.min.js]
>> this.entityContext.executeQuery [jaydata.min.js]
>>
>> There is no explanation of category of vulnerabilities and how to
>> reproduce it. I think that this is result of automatic code scanner work
>> and just a mistake, but in comments to issue no one answered.
>>
>> Who ever encountered a problem like this? How to solve?
>>
>> Content ID 000000004857
>> Defect ID 2218460
>> _______________________________________________
>> Application-dev mailing list
>> Application-dev at lists.tizen.org
>> https://lists.tizen.org/listinfo/application-dev
>>
>
>
> --
> ----------------------------------
> Вячеслав Зайцев  www.interfaced.ru
> +7-3822-93-81-74   slava at ifaced.ruhttp://linkedin.com/in/vyatcheslav
> ----------------------------------
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.tizen.org/pipermail/application-dev/attachments/20130911/8164d053/attachment-0001.html>


More information about the Application-dev mailing list