m5 old links
Any query using user input, variables that can be overridden, or database
fields including user data, can be potentially dangerous.
Direct injecting of Miva Script tags would not work in compiled Miva Script,
but injecting of queries, or in some cases even functions, may be possible.
Besides it, it also stays to investigate whether the template language
cannot be abused in some way. It is difficult to tell without having the
source code of Miva Merchant, so some deep analysis and heavy duty testing
will be needed to see how it actually works internally.
Ivo Truxa
| http://miva.truxoft.com
| Advanced Miva Merchant modules
-----Original Message-----
From: William Weiland
David Hubbard wrote:
> I don't know
> MivaScript so I'm just theorizing, but maybe by doing something
> like that I'll cause a variable set internal to the script to
> be overridden by what I want it to be, and that's where the
> danger potentially lies.
But accessing the data in Merchant is done with more than select (*)
from s01_Products
For example:
<MvOPENVIEW NAME = "Merchant"
VIEW = "Products"
QUERY = "{'SELECT * FROM ' $ g.Store_Table_Prefix $ 'Products WHERE
id
= ?' }"
FIELDS = "l.product:id">
Isn't Merchant creating a specific way of getting to the data such that
you would need to use the "Mv" commands. Or does somehow having select
(*) from s01_Products floating around allow you to connect outside of
Merchant?
Inquiring minds want to know. So do the hackers.
Any query using user input, variables that can be overridden, or database
fields including user data, can be potentially dangerous.
Direct injecting of Miva Script tags would not work in compiled Miva Script,
but injecting of queries, or in some cases even functions, may be possible.
Besides it, it also stays to investigate whether the template language
cannot be abused in some way. It is difficult to tell without having the
source code of Miva Merchant, so some deep analysis and heavy duty testing
will be needed to see how it actually works internally.
Ivo Truxa
| http://miva.truxoft.com
| Advanced Miva Merchant modules
-----Original Message-----
From: William Weiland
David Hubbard wrote:
> I don't know
> MivaScript so I'm just theorizing, but maybe by doing something
> like that I'll cause a variable set internal to the script to
> be overridden by what I want it to be, and that's where the
> danger potentially lies.
But accessing the data in Merchant is done with more than select (*)
from s01_Products
For example:
<MvOPENVIEW NAME = "Merchant"
VIEW = "Products"
QUERY = "{'SELECT * FROM ' $ g.Store_Table_Prefix $ 'Products WHERE
id
= ?' }"
FIELDS = "l.product:id">
Isn't Merchant creating a specific way of getting to the data such that
you would need to use the "Mv" commands. Or does somehow having select
(*) from s01_Products floating around allow you to connect outside of
Merchant?
Inquiring minds want to know. So do the hackers.
Comment