FP Web

Jose Lerebours fpgroups at gmail.com
Mon Jul 8 03:14:15 PDT 2019 

On 7/8/19 12:30 AM, Fairlight via Filepro-list wrote:
>> Per injections, well, that has nothing to do with the back-end
>> binaries but with the way the programmer writes his/her code.  Of
>> course, if fileProWeb does not provide means to sanitize data, we
>> then have a totally different subject.
> Not actually true, in the case of fpcgi 1.x and the default for 2.x.
> The whole concept of putting the command-lines as hidden fields was
> ill-conceived, to put it as politely as possible.  Even after they were
> made aware of the ramifications, they only provided an alternative
> server-side only methodology for 2.x, but kept the client-side methodology
> as the default.  Allegedly for purposes of backwards compatibility.  I
> don't even think the alternative was widely communicated.  So yes,
> injections -were- an issue with fpcgi, just not in the conventional
> SQL injection context.  Worse, honestly, since you could inject entire
> arbitrary commands.  It was an issue even on Windows.  There were also
> multiple different characters to use to trigger it.  They eventually fixed
> it, but that was -not- a good demonstration of security awareness.
>
> Then there was the makedir suid root hidden-password bypass at a system
> level, if you had any system shell access and could access the path to the
> binary.  Don't start me.

The way I see it,

(1) if "system" commands are needed to get to the data, then it is not a 
"native" solution; I stick to what I already know and works.
(2) It needs to have ability to run cURL and WSDL construct for data 
sharing (IN/OUT)
(3) It needs to have ability to use input in GET and POST modes

Being an old school developer, I can live with procedural architecture 
but OOP is where it should be.  I want to believe that they have hacked 
an open source binary like PHP, Perl or Python and made it their own, 
one where your typical filePro commands work:

lookup alias = fileName i=A k="Hello World!"

This would be the equivalent of a SQL query

SELECT * FROM fileName WHERE keyField = "HelloWorld!"

Then I can proceed to parse through the array object returned by the 
lookup/SELECT command without having to break out to a shell using "system".



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.celestial.com/pipermail/filepro-list/attachments/20190708/eff573e9/attachment.html>

More information about the Filepro-list mailing list