How reliable/secure are getenv('User') & WScript.Network

Level Extreme platform

Subscription

Corporate profile

Products & Services

Support

Legal

Français

How reliable/secure are getenv('User') & WScript.Network

Message

From

26/10/2004 17:22:01

Anatoliy Mogylevets
1361529 Ontario, Inc. (News2News)
Scarborough, Ontario, Canada

26/10/2004 16:27:26

Rodd Harris
New Tribes Mission
Sanford, Florida, United States

General information

Forum:

Visual FoxPro

Category:

Coding, syntax & commands

Title:

Re: How reliable/secure are getenv('User') & WScript.Network

Miscellaneous

Thread ID:

00953302

Message ID:

00954707

Views:

Hi Rod,

So the worst case scenario: User1 somehow manages to start the application with environment variable username set to User2. Your application uses GetEnv() and gets faked User2 value.

I think this is possible when using CreateProcess API to start an executable. This function has input parameter pEnvironment that can be a pointer to environment block for the new process.

In such case the bad guy must write a small program -- launcher for the application.

* * *
How about using instead of GetEnv() some API functions like:
GetUserName
GetNetworkParams
NetGetJoinInformation
...

Anatoliy Mogylevets
devicecontext@msn.com
Win32 API Online Reference

Map

View

Click here to load this message in the networking platform