[Gnumed-devel] Re: SQL injection exploits... are we vulnerable?

[Karsten Hilbert]

Hi Jim,

On Sun, Apr 15, 2007 at 10:19:34AM -0700, Jim Busser wrote:
> The vulnerabilities of SQL injection re getting some extra discussion  
> lately, maybe only a "bump" in a known vulnerability on account of  
> browser-based cross-site scripting attacks.
Yes, an attack known-to and recognized-by the GNUmed
developers.

Some factoids:

- injection attacks only happen if the values are sent
  in-the-query as opposed to alongside with the query for
  the server to handle
        - which psycopg2 (our database library) does but will change
          in the future at which point GNUmed will gain that extra
          security transparently

- injection attacks only happen on wrongly/unescaped values
  put into queries
        - which GNUmed does not do but rather hands *all* values
          to psycopg2 which does proper escaping (and thereby
          sanitizing)

So, barring bugs in psycopg2's quoting/escaping algorithm, we
aren't vulnerable. And we will transparently become entirely
invulnerable once psycopg2 starts sending values
out-of-query instead of escaping them into the query.

IOW, we did take due action the minimize the risk.

Thanks for the inquiry, though.

Karsten
-- 
GPG key ID E4071346 @ wwwkeys.pgp.net
E167 67FD A291 2BEA 73BD  4537 78B9 A9F9 E407 1346