Service Desk Manager - How are SQL injections handled?

book

Article ID: 140533

calendar_today

Updated On:

Products

CA Service Management - Asset Portfolio Management CA Service Management - Service Desk Manager

Issue/Introduction

Is there anything within Service Desk Manager's design to prevent a SQL Injection attack?

My security software detected a potential risk.

Environment

Release : 17.X

Component : SERVICE DESK MANAGER

Resolution

Our development and security team have performed testing for sql injections. Below is an example of a query which get created during normal usage of SDM:

 

"SID=1953056881&FID=836850174&OP=SEARCH&FACTORY=in&QBE.EQ.active=1&QBE.IN.summary=%25foo%25&QBE.IN.description=%25bar%25&KEEP.isHierSearch=0&KEEP.cur_sort_key=&KEEP.cur_sort_key_order=undefined+KEEP.use_role=1"

 

Regarding of the previous query



1. This query is not direct SQL clause.

2. SDM parses the resulting virtual SQL statement and rebuilds it using the native DBMS table and column names in the proper syntax for the DBMS. Only a subset of the SQL language is supported. Anything else will fail SDM parser.

3. In addition, ADDITIONAL_WHERE (where this SQL type of clause was seen), it only supports SELECT statements and not Insert/Update/Deletes. So any kind of malicious SQL injection would be extremely difficult since SDM parser doesn’t understand those types of queries. SDM also silently augments the SELECT statement with additional data authorization constraints to prevent data leakage when appropriate.

 

Based on all this information we would suggest that an exception should be created within the security software that is giving a false positive to allow Service Desk Manager to function. If you need further information on how to create this exception you should consult with the software vendor of the product to gather additional details.