Continue to summarize the vulnerability of fortify, this article mainly for Access control:database (Data ultra vires) of the vulnerability to summarize, as follows:
1, Access control:database (Data ultra vires)
1.1, Cause:
The Database access control error occurs under the following conditions:
1. The data enters the program from an unreliable data source.
2. This data is used to specify the value of the primary key in the SQL query.
Example 1: The following code uses an escaped metacharacters and prevents a parameterized statement of a SQL injection vulnerability to build and execute a SQL query that searches for a manifest that matches the specified identifier. You can select these identifiers from all the manifests that are relevant to the currently authorized user.
...
id = integer.decode (request.getparameter ("Invoiceid"));
String query = "SELECT * from invoices WHERE id =?";
PreparedStatement stmt = conn.preparestatement (query);
Stmt.setint (1, id);
ResultSet results = Stmt.execute ();
...
The problem is that the developer does not take into account all possible ID values. Although the interface generates a list of identifiers for the current user, an attacker could bypass the interface to get any inventory required. Because the code in this example does not perform a check to make sure that the user has access to the required manifest, the code displays all the manifests, even if the manifests are not part of the current user.
1.2. Repair Program:
Rather than relying on the presentation layer to restrict the values entered by the user, you might as well make access control on the application and database tiers. in no case will the user be allowed to obtain or modify records in the database without obtaining the appropriate permissions. each query that involves a database must adhere to this principle, which can be achieved by using the currently authorized user name as part of the query statement.
Example : The following code implements the same functionality as example 1, but attaches a restriction that specifies how a particular fetch list is specified for the currently authorized user.
...
id = integer.decode (request.getparameter ("Invoiceid"));
String query =
"SELECT * from invoices WHERE id =?" and user =? ";
PreparedStatement stmt = conn.preparestatement (query);
Stmt.setint (1, id);
Stmt.setstring (2, userName);
ResultSet results = Stmt.execute ();
In short, to prevent the data over-privileged vulnerability issues, the following two points need to be achieved:
1, for the data that needs to be queried, the SQL statement plus the data permission to restrict the role of the data.
2, for this plus the data permissions of the qualification, it is best to obtain from the background, rather than passing through the foreground.
Fortify vulnerability of Access control:database (data vires)