RA accepts special characters as user inputs poses a risk of SQL Injections.
search cancel

RA accepts special characters as user inputs poses a risk of SQL Injections.

book

Article ID: 231178

calendar_today

Updated On:

Products

CA Release Automation - Release Operations Center (Nolio)

Issue/Introduction

Our security team listed that the RA is allows special characters in user inputs and poses a risk of SQL Injections.

Environment

Release : 6.7

Component : CA RELEASE AUTOMATION CORE

Cause

As per Product feature and requirement from our global customer, we allow the special characters in input fields as our customer uses them to pass special characters, XML, JavaScript etc. in these fields.

Instead of Blocking or providing a list of white list special characters we chose an approach of "not evaluating input field henceforth, we don't find any occurrence of exploiting the values with special characters in input fields"

 

Resolution

All SQL Injection related vulnerability is already addressed in the Product. We don't evaluate/process the data in input fields and hence we don't see any vulnerability and hence No fix required.

Additional Information

If your Security Team can exploit system using special characters in input fields we will request to contact Technical Support on Support Ticket  with below mentioned information

  • Steps to recreate exploitation
  • Exploitation report carried out on your system, with required screen shots
  • Tools and browser version used for testing
Powered by Wolken Software