FP Web
Richard Kreiss
rkreiss at gccconsulting.net
Mon Jul 8 08:37:31 PDT 2019
I am just now wondering if the FP Web is tied into MySQL download? Or is it a new front end for filePro replacing the FPGUI product?
It would be nice if there were some screen shots of the product on the FP TECH web-site (and a place to register for the conference).
Richard Kreiss
GCC Consulting
-----Original Message-----
From: Filepro-list <filepro-list-bounces+rkreiss=verizon.net at lists.celestial.com> On Behalf Of Jose Lerebours via Filepro-list
Sent: Monday, July 8, 2019 6:14 AM
To: filepro-list at lists.celestial.com
Subject: Re: FP Web
On 7/8/19 12:30 AM, Fairlight via Filepro-list wrote:
>> Per injections, well, that has nothing to do with the back-end
>> binaries but with the way the programmer writes his/her code. Of
>> course, if fileProWeb does not provide means to sanitize data, we
>> then have a totally different subject.
> Not actually true, in the case of fpcgi 1.x and the default for 2.x.
> The whole concept of putting the command-lines as hidden fields was
> ill-conceived, to put it as politely as possible. Even after they
> were made aware of the ramifications, they only provided an
> alternative server-side only methodology for 2.x, but kept the
> client-side methodology as the default. Allegedly for purposes of
> backwards compatibility. I don't even think the alternative was
> widely communicated. So yes, injections -were- an issue with fpcgi,
> just not in the conventional SQL injection context. Worse, honestly,
> since you could inject entire arbitrary commands. It was an issue
> even on Windows. There were also multiple different characters to use
> to trigger it. They eventually fixed it, but that was -not- a good demonstration of security awareness.
>
> Then there was the makedir suid root hidden-password bypass at a
> system level, if you had any system shell access and could access the
> path to the binary. Don't start me.
The way I see it,
(1) if "system" commands are needed to get to the data, then it is not a "native" solution; I stick to what I already know and works.
(2) It needs to have ability to run cURL and WSDL construct for data sharing (IN/OUT)
(3) It needs to have ability to use input in GET and POST modes
Being an old school developer, I can live with procedural architecture but OOP is where it should be. I want to believe that they have hacked an open source binary like PHP, Perl or Python and made it their own, one where your typical filePro commands work:
lookup alias = fileName i=A k="Hello World!"
This would be the equivalent of a SQL query
SELECT * FROM fileName WHERE keyField = "HelloWorld!"
Then I can proceed to parse through the array object returned by the lookup/SELECT command without having to break out to a shell using "system".
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.celestial.com/pipermail/filepro-list/attachments/20190708/eff573e9/attachment.html>
_______________________________________________
Filepro-list mailing list
Filepro-list at lists.celestial.com
Subscribe/Unsubscribe/Subscription Changes
http://mailman.celestial.com/mailman/listinfo/filepro-list
-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 13163 bytes
Desc: not available
URL: <http://mailman.celestial.com/pipermail/filepro-list/attachments/20190708/06537b97/attachment.bin>
More information about the Filepro-list
mailing list