[19044] in bugtraq
Re: IBM NetCommerce Security
daemon@ATHENA.MIT.EDU (Gedanken)
Tue Feb 6 15:47:37 2001
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-ID: <Pine.LNX.4.21.0102061347030.5040-100000@eris.io.com>
Date: Tue, 6 Feb 2001 13:52:03 -0600
Reply-To: Gedanken <gedanken@IO.COM>
From: Gedanken <gedanken@IO.COM>
X-To: Emil Popov <emo@DS.PRIMASOFT.BG>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20010206161446.A7173@ds.primasoft.bg>
On Tue, 6 Feb 2001, Emil Popov wrote:
Any thoughts, fixes, ideas??
The best way is to add 0 to the order_rn before using it. if the
operation passes, the input was an int. If it failed, then it wasnt and
something funky was attempted. This is obviously only going to prevent
munging of integer fields but thats the vast majprity.
Its been a while since I coded n.c sites so I do not recall the exact
Add() function, but memory seems to tell me that there was even a
SecurityCheck function in the engine (and undocumented i believe) that did
this exact functionality for you. If i had an install in front of me, i
would search the default macros for 'SecurityCheck' or some variant.
--
gedanken
