Focal Point
[CASE-OPENED] SQL intrusion

This topic can be found at:
https://forums.informationbuilders.com/eve/forums/a/tpc/f/7971057331/m/4027099276

October 07, 2014, 11:44 AM
Pedro
[CASE-OPENED] SQL intrusion
Hi,

A security third party was testing SQL injection.

They add quote in the app path as follow
GET /ibi_apps/WFServlet?IBIF_ex=get_party&IBIAPP_app=lin_common='

by sending this url, WF returned

(FOC224) SYNTAX ERROR: PREPENDPATH lin_common='
(FOC324) THE PARAMETER TO BE SET IS NOT RECOGNIZED
ERROR AT OR LINE 13 IN PRECEDURE get_party

Q1.Is it possible to add this SET EMGSRV=OFF
at the start up in the customer profile.
Q2. If the path is wrong how can i reveived a error that come from the procedure. The procedure shouldn't be executed ?

WF v7.7.003

Thanks,
Pierre

This message has been edited. Last edited by: <Kathryn Henning>,


Production: WF 7.7.03 / OS: Solaris Sparc 64/ WebServer: Apache Tomcat/6.0/AppServer:WebLogic 10.3 /DB: Oracle 11.2/ Output formats: HTML, Excel, PDF, CSV, ZIP
October 20, 2014, 02:25 PM
<Kathryn Henning>
Hi Pedro,

I see that you've opened a case and have been working with Customer Support on this issue. Once the Symptom-Problem-Solution document has been published, I'll come back and update this topic with the link.

Thanks and regards,

Kathryn