FP Web
Fairlight
fairlite at fairlite.com
Mon Jul 8 09:10:30 PDT 2019
Maybe you have to register by fax. *laugh*
m->
On Mon, Jul 08, 2019 at 03:37:31PM +0000, Richard Kreiss via Filepro-list thus spoke:
> I am just now wondering if the FP Web is tied into MySQL download? Or is it a new front end for filePro replacing the FPGUI product?
>
> It would be nice if there were some screen shots of the product on the FP TECH web-site (and a place to register for the conference).
>
> Richard Kreiss
> GCC Consulting
>
> -----Original Message-----
> From: Filepro-list <filepro-list-bounces+rkreiss=verizon.net at lists.celestial.com> On Behalf Of Jose Lerebours via Filepro-list
> Sent: Monday, July 8, 2019 6:14 AM
> To: filepro-list at lists.celestial.com
> Subject: Re: FP Web
>
>
> On 7/8/19 12:30 AM, Fairlight via Filepro-list wrote:
> >> Per injections, well, that has nothing to do with the back-end
> >> binaries but with the way the programmer writes his/her code. Of
> >> course, if fileProWeb does not provide means to sanitize data, we
> >> then have a totally different subject.
> > Not actually true, in the case of fpcgi 1.x and the default for 2.x.
> > The whole concept of putting the command-lines as hidden fields was
> > ill-conceived, to put it as politely as possible. Even after they
> > were made aware of the ramifications, they only provided an
> > alternative server-side only methodology for 2.x, but kept the
> > client-side methodology as the default. Allegedly for purposes of
> > backwards compatibility. I don't even think the alternative was
> > widely communicated. So yes, injections -were- an issue with fpcgi,
> > just not in the conventional SQL injection context. Worse, honestly,
> > since you could inject entire arbitrary commands. It was an issue
> > even on Windows. There were also multiple different characters to use
> > to trigger it. They eventually fixed it, but that was -not- a good demonstration of security awareness.
> >
> > Then there was the makedir suid root hidden-password bypass at a
> > system level, if you had any system shell access and could access the
> > path to the binary. Don't start me.
>
> The way I see it,
>
> (1) if "system" commands are needed to get to the data, then it is not a "native" solution; I stick to what I already know and works.
> (2) It needs to have ability to run cURL and WSDL construct for data sharing (IN/OUT)
> (3) It needs to have ability to use input in GET and POST modes
>
> Being an old school developer, I can live with procedural architecture but OOP is where it should be. I want to believe that they have hacked an open source binary like PHP, Perl or Python and made it their own, one where your typical filePro commands work:
>
> lookup alias = fileName i=A k="Hello World!"
>
> This would be the equivalent of a SQL query
>
> SELECT * FROM fileName WHERE keyField = "HelloWorld!"
>
> Then I can proceed to parse through the array object returned by the lookup/SELECT command without having to break out to a shell using "system".
>
>
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://mailman.celestial.com/pipermail/filepro-list/attachments/20190708/eff573e9/attachment.html>
> _______________________________________________
> Filepro-list mailing list
> Filepro-list at lists.celestial.com
> Subscribe/Unsubscribe/Subscription Changes
> http://mailman.celestial.com/mailman/listinfo/filepro-list
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: winmail.dat
> Type: application/ms-tnef
> Size: 13163 bytes
> Desc: not available
> URL: <http://mailman.celestial.com/pipermail/filepro-list/attachments/20190708/06537b97/attachment.bin>
> _______________________________________________
> Filepro-list mailing list
> Filepro-list at lists.celestial.com
> Subscribe/Unsubscribe/Subscription Changes
> http://mailman.celestial.com/mailman/listinfo/filepro-list
--
Audio panton, cogito singularis.
More information about the Filepro-list
mailing list