How reliable/secure are getenv('User') & WScript.Network

Level Extreme platform

Subscription

Corporate profile

Products & Services

Support

Legal

Français

How reliable/secure are getenv('User') & WScript.Network

Message

From

26/10/2004 16:27:26

Rodd Harris
New Tribes Mission
Sanford, Florida, United States

26/10/2004 16:03:55

Anatoliy Mogylevets
1361529 Ontario, Inc. (News2News)
Scarborough, Ontario, Canada

General information

Forum:

Visual FoxPro

Category:

Coding, syntax & commands

Title:

Re: How reliable/secure are getenv('User') & WScript.Network

Miscellaneous

Thread ID:

00953302

Message ID:

00954690

Views:

Hello Anatoliy,

Don't mind if you join at all. :)

You're on topic but off as far as my concern.

Let's assume that my app uses GetEnv() when launched to get the username of the user running the app and then uses tables to look up the username and determine permissions. (In one sense, we do this right now with our app. We use a 3rd party utility to get the user's Novell user name (Novell serves as our file server). That username is used to look the user up in a table and get their permissions.)

Now suppose that User1 has limited permissions. User1 logs into his/her local machine and edits his/her environment vars to say that his username is User2. (User2 just happens to be some kind of super user). Now User1 launches the app. If I'm looking at this straight, the app will now think User1 is User2 and give him/her the wrong permissions.

In other words, I'm not so worried about them changing DURING the running of the app as I am BEFORE the running of our app.

Thanks for whatever "enlightenment" you can offer!

Rodd
>That's an interesting discussion, mind if I join :)
>
>I just tried a simple code. It shows that at the very beginning a FoxPro app reads environmental variables to its internal variables. Whenever you call GETENV(), it does not invoke GetEnvironmentVariable API call.
>
>Here is the code:

>CLEAR
>CLEAR ALL
>
>DECLARE INTEGER SetEnvironmentVariable IN kernel32 STRING lpName, STRING lpValue
>
>DECLARE INTEGER GetEnvironmentVariable IN kernel32;
>	STRING lpName, STRING @lpBuffer, INTEGER nSize
>
>? "Before:"
>? GETENV("username")
>? gv("username")
>
>? SetEnvironmentVariable("username", "Homer Simpson")
>
>? "After:"
>? gv("username")
>? GETENV("username")
>
>FUNCTION gv(cName)
>	LOCAL cBuffer, nBufsize
>	nBufsize=4096
>	cBuffer= REPLICATE(CHR(0), nBufsize)
>	nBufsize = GetEnvironmentVariable(cName, @cBuffer, nBufsize)
>RETURN SUBSTR(cBuffer, 1, nBufsize)
>

>Probably C/C++ debugger may reveal even more interesting details.
>
>Technically, though very much unlikely, someone with sufficient tools and knowledge may start another process that can reach the heap of Visual FoxPro application and change those internal variables.
>
>What was the initial question :) Am I out of topic?

Map

View

Click here to load this message in the networking platform