Author | Message |
---|---|
cysun
Posts: 2935
|
Posted 14:51 Apr 27, 2020 |
|
aruizcr
Posts: 2
|
Posted 14:53 Apr 27, 2020 |
So was this a failure to use prepared statements? Or a bigger work around? |
cysun
Posts: 2935
|
Posted 17:12 Apr 27, 2020 |
From the article (emphasis mine): "The zero-day vulnerability that made the attacks possible was a pre-authentication SQL injection flaw found in the custom operating system that runs the firewall". My guess is that the custom OS is probably not written in Java (usually it's C/C++), so they don't have PreparedStatement. SQL injection can happen in any language. In Java it can dealt with easily with PreparedStatement; in another language you'll need to find some similar solution. |