Re: [BLACKBOX] severe security hole in BB

From: [at]} <Josef>
Date: Tue, 17 Jun 2008 08:04:43 +0200

----boundary-LibPST-iamunique-1772447088_-_-
Content-type: text/plain

Overall, BB is pretty safe because it is not the target of virus writers
due to its small installed base. This is a big advantage.

There is no verifier as in Java when loading a module.
There is no digital signing of code.
So the code could be tampered with in principle.

Regarding the source language and compiler.
There are run-time checks for array indexing and NIL access etc.
There is also the module SYSTEM which allows to bypass all checks.
When loadfing a module, there is no distinction between
high-level modules and modules that involve module SYSTEM.

My overall assessment is that the security level is not as high as
in Java or .NET but certainly much higher than for C or C++ systems.

General hint:
If you make the source code available in a runnning system,
be careful not to declare logins and passwords in the source code.
If a trap window is opened, the user may accidentally get access to
the source code.
As a very simple work around, you may write security sensitve
declarations such as passwords in white color.

- JT



----- Original Message -----
From: "Douglas G. Danforth" <danforth{([at]})nowhere.xy
To: <BLACKBOX{([at]})nowhere.xy
Sent: Monday, June 16, 2008 11:36 PM
Subject: Re: [BLACKBOX] severe security hole in BB


> Josef,
> Good point.
>
> At a higher level,
> can one in any sense specify the "security" of the
> underlying module based system?
>
> I, for one, do not like to worry about such issues but
> when providing software to clients what does one say
> when asked about the security of the BlackBox environment?
>
> -Doug Danforth
>
> Josef Templ wrote:
>> Hi everybody!
>>
>> I would like to point out a severe security hole in BB.
>>
>> Password fields are printed as clear text!
>>
>> The problem seems to be in HostCFrames.Print,
>> where Controls are printed in a rather crude form
>> without looking at the guard and without looking
>> at the 'password' property of the text field control.
>>
>> regards
>>
>> - Josef Templ
>>
>>
>> ----
>> To unsubscribe, send a message with body "SIGNOFF BLACKBOX" to
>> LISTSERV{([at]})nowhere.xy
>>
>>
>
>
> ----
> To unsubscribe, send a message with body "SIGNOFF BLACKBOX" to LISTSERV{([at]})nowhere.xy

----
To unsubscribe, send a message with body "SIGNOFF BLACKBOX" to LISTSERV{([at]})nowhere.xy----boundary-LibPST-iamunique-1772447088_-_-
Content-type: application/rtf
Content-transfer-encoding: base64
Content-Disposition: attachment; filename="rtf-body.rtf"
e1xydGYxXGFuc2lcYW5zaWNwZzEyNTJcZnJvbXRleHQgXGRlZmYwe1xmb250dGJsDQp7XGYwXGZz
d2lzcyBBcmlhbDt9DQp7XGYxXGZtb2Rlcm4gQ291cmllciBOZXc7fQ0Ke1xmMlxmbmlsXGZjaGFy
c2V0MiBTeW1ib2w7fQ0Ke1xmM1xmbW9kZXJuXGZjaGFyc2V0MCBDb3VyaWVyIE5ldzt9fQ0Ke1xj
b2xvcnRibFxyZWQwXGdyZWVuMFxibHVlMDtccmVkMFxncmVlbjBcYmx1ZTI1NTt9DQpcdWMxXHBh
cmRccGxhaW5cZGVmdGFiMzYwIFxmMFxmczIwIE92ZXJhbGwsIEJCIGlzIHByZXR0eSBzYWZlIGJl
Y2F1c2UgaXQgaXMgbm90IHRoZSB0YXJnZXQgb2YgdmlydXMgd3JpdGVyc1xwYXINCmR1ZSB0byBp
dHMgc21hbGwgaW5zdGFsbGVkIGJhc2UuIFRoaXMgaXMgYSBiaWcgYWR2YW50YWdlLlxwYXINClxw
YXINClRoZXJlIGlzIG5vIHZlcmlmaWVyIGFzIGluIEphdmEgd2hlbiBsb2FkaW5nIGEgbW9kdWxl
LlxwYXINClRoZXJlIGlzIG5vIGRpZ2l0YWwgc2lnbmluZyBvZiBjb2RlLlxwYXINClNvIHRoZSBj
b2RlIGNvdWxkIGJlIHRhbXBlcmVkIHdpdGggaW4gcHJpbmNpcGxlLlxwYXINClxwYXINClJlZ2Fy
ZGluZyB0aGUgc291cmNlIGxhbmd1YWdlIGFuZCBjb21waWxlci5ccGFyDQpUaGVyZSBhcmUgcnVu
LXRpbWUgY2hlY2tzIGZvciBhcnJheSBpbmRleGluZyBhbmQgTklMIGFjY2VzcyBldGMuXHBhcg0K
VGhlcmUgaXMgYWxzbyB0aGUgbW9kdWxlIFNZU1RFTSB3aGljaCBhbGxvd3MgdG8gYnlwYXNzIGFs
bCBjaGVja3MuXHBhcg0KV2hlbiBsb2FkZmluZyBhIG1vZHVsZSwgdGhlcmUgaXMgbm8gZGlzdGlu
Y3Rpb24gYmV0d2VlbiBccGFyDQpoaWdoLWxldmVsIG1vZHVsZXMgYW5kIG1vZHVsZXMgdGhhdCBp
bnZvbHZlIG1vZHVsZSBTWVNURU0uXHBhcg0KXHBhcg0KTXkgb3ZlcmFsbCBhc3Nlc3NtZW50IGlz
IHRoYXQgdGhlIHNlY3VyaXR5IGxldmVsIGlzIG5vdCBhcyBoaWdoIGFzXHBhcg0KaW4gSmF2YSBv
ciAuTkVUIGJ1dCBjZXJ0YWlubHkgbXVjaCBoaWdoZXIgdGhhbiBmb3IgQyBvciBDKysgc3lzdGVt
cy5ccGFyDQpccGFyDQpHZW5lcmFsIGhpbnQ6XHBhcg0KSWYgeW91IG1ha2UgdGhlIHNvdXJjZSBj
b2RlIGF2YWlsYWJsZSBpbiBhIHJ1bm5uaW5nIHN5c3RlbSxccGFyDQpiZSBjYXJlZnVsIG5vdCB0
byBkZWNsYXJlIGxvZ2lucyBhbmQgcGFzc3dvcmRzIGluIHRoZSBzb3VyY2UgY29kZS5ccGFyDQpJ
ZiBhIHRyYXAgd2luZG93IGlzIG9wZW5lZCwgdGhlIHVzZXIgbWF5IGFjY2lkZW50YWxseSBnZXQg
YWNjZXNzIHRvIFxwYXINCnRoZSBzb3VyY2UgY29kZS5ccGFyDQpBcyBhIHZlcnkgc2ltcGxlIHdv
cmsgYXJvdW5kLCB5b3UgbWF5IHdyaXRlIHNlY3VyaXR5IHNlbnNpdHZlIFxwYXINCmRlY2xhcmF0
aW9ucyBzdWNoIGFzIHBhc3N3b3JkcyBpbiB3aGl0ZSBjb2xvci5ccGFyDQpccGFyDQotIEpUXHBh
cg0KXHBhcg0KXHBhcg0KXHBhcg0KLS0tLS0gT3JpZ2luYWwgTWVzc2FnZSAtLS0tLSBccGFyDQpG
cm9tOiAiRG91Z2xhcyBHLiBEYW5mb3J0aCIgPGRhbmZvcnRoQEdSRUVOV09PREZBUk0uQ09NPlxw
YXINClRvOiA8QkxBQ0tCT1hATElTVFMuT0JFUk9OLkNIPlxwYXINClNlbnQ6IE1vbmRheSwgSnVu
ZSAxNiwgMjAwOCAxMTozNiBQTVxwYXINClN1YmplY3Q6IFJlOiBbQkxBQ0tCT1hdIHNldmVyZSBz
ZWN1cml0eSBob2xlIGluIEJCXHBhcg0KXHBhcg0KXHBhcg0KPiBKb3NlZixccGFyDQo+IEdvb2Qg
cG9pbnQuXHBhcg0KPiBccGFyDQo+IEF0IGEgaGlnaGVyIGxldmVsLFxwYXINCj4gY2FuIG9uZSBp
biBhbnkgc2Vuc2Ugc3BlY2lmeSB0aGUgInNlY3VyaXR5IiBvZiB0aGVccGFyDQo+IHVuZGVybHlp
bmcgbW9kdWxlIGJhc2VkIHN5c3RlbT9ccGFyDQo+IFxwYXINCj4gSSwgZm9yIG9uZSwgZG8gbm90
IGxpa2UgdG8gd29ycnkgYWJvdXQgc3VjaCBpc3N1ZXMgYnV0XHBhcg0KPiB3aGVuIHByb3ZpZGlu
ZyBzb2Z0d2FyZSB0byBjbGllbnRzIHdoYXQgZG9lcyBvbmUgc2F5XHBhcg0KPiB3aGVuIGFza2Vk
IGFib3V0IHRoZSBzZWN1cml0eSBvZiB0aGUgQmxhY2tCb3ggZW52aXJvbm1lbnQ/XHBhcg0KPiBc
cGFyDQo+IC1Eb3VnIERhbmZvcnRoXHBhcg0KPiBccGFyDQo+IEpvc2VmIFRlbXBsIHdyb3RlOlxw
YXINCj4+IEhpIGV2ZXJ5Ym9keSFccGFyDQo+PiBccGFyDQo+PiBJIHdvdWxkIGxpa2UgdG8gcG9p
bnQgb3V0IGEgc2V2ZXJlIHNlY3VyaXR5IGhvbGUgaW4gQkIuXHBhcg0KPj4gXHBhcg0KPj4gUGFz
c3dvcmQgZmllbGRzIGFyZSBwcmludGVkIGFzIGNsZWFyIHRleHQhXHBhcg0KPj4gXHBhcg0KPj4g
VGhlIHByb2JsZW0gc2VlbXMgdG8gYmUgaW4gSG9zdENGcmFtZXMuUHJpbnQsXHBhcg0KPj4gd2hl
cmUgQ29udHJvbHMgYXJlIHByaW50ZWQgaW4gYSByYXRoZXIgY3J1ZGUgZm9ybVxwYXINCj4+IHdp
dGhvdXQgbG9va2luZyBhdCB0aGUgZ3VhcmQgYW5kIHdpdGhvdXQgbG9va2luZ1xwYXINCj4+IGF0
IHRoZSAncGFzc3dvcmQnIHByb3BlcnR5IG9mIHRoZSB0ZXh0IGZpZWxkIGNvbnRyb2wuXHBhcg0K
Pj4gXHBhcg0KPj4gcmVnYXJkc1xwYXINCj4+IFxwYXINCj4+IC0gSm9zZWYgVGVtcGxccGFyDQo+
PiBccGFyDQo+PiBccGFyDQo+PiAtLS0tXHBhcg0KPj4gVG8gdW5zdWJzY3JpYmUsIHNlbmQgYSBt
ZXNzYWdlIHdpdGggYm9keSAiU0lHTk9GRiBCTEFDS0JPWCIgdG8gXHBhcg0KPj4gTElTVFNFUlZA
TElTVFMuT0JFUk9OLkNIXHBhcg0KPj4gXHBhcg0KPj4gXHBhcg0KPiBccGFyDQo+IFxwYXINCj4g
LS0tLVxwYXINCj4gVG8gdW5zdWJzY3JpYmUsIHNlbmQgYSBtZXNzYWdlIHdpdGggYm9keSAiU0lH
Tk9GRiBCTEFDS0JPWCIgdG8gTElTVFNFUlZATElTVFMuT0JFUk9OLkNIXHBhcg0KXHBhcg0KXHBh
cg0KLS0tLVxwYXINClRvIHVuc3Vic2NyaWJlLCBzZW5kIGEgbWVzc2FnZSB3aXRoIGJvZHkgIlNJ
R05PRkYgQkxBQ0tCT1giIHRvIExJU1RTRVJWQExJU1RTLk9CRVJPTi5DSH19AEIyIAQ=
----boundary-LibPST-iamunique-1772447088_-_---

Received on Tue Jun 17 2008 - 08:04:43 UTC