[thelist] CF Encrypt universal uniqueness
Rory.Plaire at wahchang.com
Rory.Plaire at wahchang.com
Mon Dec 17 12:43:46 CST 2001
+| > If so, I would imagine that the dreaded "arbitrary SQL
+| code from input
+| > fields on a form" attack could be executed on, say, a login
+| > script which
+| > reads the value of an encrypted username from a cookie and
+| > puts that into a
+| > query to a database...
+| >
+| > ug.
+|
+| Um, how? You would need to know the key that was used on the
+| system you
+| want to attack in order for your fake value to be decrypted
+| correctly.
+| Therefore, this would not be a vulnerability.
+|
Er, well, by the piece of information I didn't include in my post... that I
would also be putting the key in the form... heh, now that I write it, it
doesn't sound like such a good idea in the first place.
<rory disposition="thanks" alt="8)"/>
More information about the thelist
mailing list