[thelist] Are there any security leaks of HTC's
Mark Groen
markgroen at gmail.com
Wed Jun 1 09:29:37 CDT 2005
----- Original Message -----
From: "VOLKAN ÖZÇELIK" <>
To: <thelist at lists.evolt.org>
Sent: Wednesday, June 01, 2005 8:42 PM
Subject: Re: [thelist] Are there any security leaks of HTC's
Actually what I meant is different. I could't fully express it, sorry.
Let me start step by step.
If the user finds a way to directly communiacate with the HTC
while keeping the session open after authenticating at step 1(assuming
that he has stolen the sa password): He can send any SQL call to the
servlet
(it's somewhat more complex, but theoretically possible, I'll not go
to details to deviate from the topic.)
Sorry for this much introduction.
In conclusion I have two basic questions:
1. is it possible (with a tool, with a hack, by using a security leak
etc) to communicate directly to the HTC file, bypassing the browser;
and without losing the browser session.
Yes, at one point in time but not sure if that's valid anymore. I'll try to
dig up the reference, Ken S. knows more about this M$ stuff than I do, maybe
he'll find some time to jump on this thread too in the meanwhile.
2. We play with money.
So
* Shall we install SSL to the login process.
or
* Shall we install SSL throughout the entire process to secure our
connection.
I would be doing as much as possible through SSL, encrypted, no clear text
what-so-ever.
3. Shall I blame the DBA of hacking the system :) (since she was there
at that time)
Ermm, good question.
Your responses are really and highly appreciated.
glad to help when possible, theList is thePlace for answers, hopefully
you'll get more as this thread reaches other inboxes :-)
cheers,
Mark
More information about the thelist
mailing list