http://davejarvis.ulitzer.com/ Latest News from Dave Jarvis en Copyright 2012 Ulitzer.com Ulitzer.com Thu, 17 May 2012 17:23:15 EDT http://backend.userland.com/rss 360 http://davejarvis.ulitzer.com/node/1796129 A problem has come to my attention over the last few years and I thought Java.net would be a good place to talk about it. I have noticed that many reporting integrations use vendor-supplied examples verbatim. This is an issue. With JasperReports (the Java-based reporting tool), the reports contain SQL code. That SQL code can tell a hacker a lot about the database (type, version, table names, column names, and such). This opens up an attack vector, and many people host their report files in the same directory as the web files. Worse still, some people write JSPs with the database connection information (login, password, host name, database name) in plain text - inside the JSP files!<p><a href="http://davejarvis.ulitzer.com/node/1796129" target="_blank">read more</a></p> Sun, 17 Apr 2011 16:31:00 EDT http://davejarvis.ulitzer.com/node/1796129 http://davejarvis.ulitzer.com/node/1796129#feedback