The sampleabove is only dangerous if the attacker knows a valid user name. This way it's quite easy to log on as anAdministrator.Ĭheckevery IF command if the condition can be NULL
In the password textbox allhe needs to do is to hit CTRL+0, and Visual FoxPro assigns NULL to the Valueproperty of the textbox. In the sample above, the user can log onsuccessfully, if he only knows a correct user name. If an IF condition results in NULL, Visual FoxPro alwaysexecutes the ELSE branch.
A condition that is NULL cannotbe true, never. That lookspretty safe, doesn't it? However, what happens if lcPassword is NULL? Everyexpression that contains NULL is NULL itself. IF NOTALLTRIM(User.cPassword) = m.lcPassword * ASSUME: Welocated the correct record in USER.DBF A typicalpassword validation could look like this: In the following samples I assume thatthe user name is stored in lcUser and the password in lcPassword. Let's start withsome particularities of Visual FoxPro. In reality, though, there's a lot that can go wrong. Otherwise the applicationterminates, usually after a few unsuccessful attempts. Executioncontinues if user name and password are valid. Technically, such a login dialog is very simple. Using the login dialog andpassword check I'd like to show how many security leaks a Visual FoxProapplication could have. They spend a lot of effort to protect tablesin case of power failures.įor allthese problems there are readily available solutions that are – almost withcertainty - superior to the homemade solutions. They write their own encryption routines toencrypt single field in a table. Without hesitation, theydemand administrator privileges for their application and implement their ownlogin dialog to restrict access.
Hence, it's obvious that securityis not the primary focus of software developers. This makesit even more surprising that most developers start from the ground with thesecurity aspects of their own applications.
What sounds like a failed attempt to be funny, is surprisingly true.Microsoft spent hundred of millions dollars in the research of security, hasgot worldwide recognized security experts and is permanently challenged by tensof thousands of security experts and its competition. Microsofthas a lot of experience and knowledge in developing secure applications and actuallydoes so.
Microsoft (1543) Not specified (442) IBM (338) Borland Software (141) Microsoft Corporation (121) unknown (112) Borland International, Inc. (80) gpl (70) Norton Computing (63) id Software (63) Infocom (62) Sierra Entertainment (60) Autodesk (59) Digital Research (58) Adobe (54) Maxis (52) Ibm Corp. (50) Micrografx (49) Borland Inc. (49) Apogee Software (48) Central Point Software (45) Lotus Software (44) Sam Lantinga (42) Microprose (42) Lotus Development Corporation (40) Symantec Corporation (40) Borland (40) Corel Corporation (36) WordPerfect Corporation (36) Broderbund (34) Quarterdeck (34) Ashton-Tate (32) Electronic Arts (32) Software Publishing Corporation (32) Peter Norton Computing/Symantec (31) GNU (28) Be, Inc. (28) Epic MegaGames (28) Apple Computer, Inc. (28) Symantec (28) Sierra On-Line, Inc. (26) Headlight Software (25) Novell, Inc. (24) Sierra (24) Ulead Systems Inc. (23) more…īeOS (710) DOS (7458) OS/2 (179) Unix (242) Windows 3.B圜hristof Wollenhaupt, Foxpert Login, Logout, Knock out