My question is, is it possible for a user to spoof report parameters in order to get a report to run for values that would normally be unavailable to that user?
For example, let's say we have a report that has a drop-down parameter containing a list of account numbers that the user is allowed to see data for. (The query that populates the dropdown itself uses the reporting services login to appropriately filter the list of accounts.) Would it be theoretically possible to write a custom http client that injected its own value for the account # parameter and have the report run for an account that was not intended for that user? Or is this somehow prevented in some way (perhaps the viewstate?).
Note, I am not the potential hacker, I would like to know if I need to add some other security mechanism to all of our reports.
By the way, we are using RS 2005.
ThanksUse stored procedures to prevent SQL injection attacks.|||I'm sorry, I shouldn't have used the word "inject" in my original question. I am not speaking about a traditional SQL injection attack, I'm only talking about spoofing an http client to post arbirtrary http-parameter values in runing the report. Thanks for the reply tho.
No comments:
Post a Comment