Dave Jarvis

A problem has come to my attention over the last few years and I thought Java.net would be a good place to talk about it. I have noticed that many reporting integrations use vendor-supplied examples verbatim. This is an issue. With JasperReports (the Java-based reporting tool), the reports contain SQL code. That SQL code can tell a hacker a lot about the database (type, version, table names, column names, and such). This opens up an attack vector, and many people host their report files in the same directory as the web files. Worse still, some people write JSPs with the database connection information (login, password, host name, database name) in plain text - inside the JSP files! This needs to stop; sure, the code gets the job done, but no sane boss (if they understood the implications) would agree to publishing attack vectors on their web site. Where would be ... (more)