In association with heise online

30 November 2006, 14:27

Vulnerabilities in Borland's SQL support

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Users of Borland Developer Studio 2006 should review any applications created with the Borland software that communicate with an SQL database. Security vendor Secunia reports that SQL commands longer than 4000 bytes can provoke a buffer overflow that enables code to be planted and potentially executed. Secunia claims the bug is part of the idsql32.dll file in version, as contained in Developer Studio 2006 and in version, as delivered in prefabricated applications like RevilloC MailServer. It remains unclear which other applications are affected.

The hole only actually becomes a problem if user input directly flows into an SQL statement, such as from a website, and if this is not previously filtered or subjected to length verification. Borland was informed about the problem in the middle of the month, but has not, as yet, reacted. Developers should therefore set length restrictions on user input for their own applications. Access by vulnerable applications from other manufacturers must also be assigned restricted access.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit