The Listener receives external notifications and can invoke an application while passing in information from the notifications. External notifications could, in theory, be used to inject harmful data causing undesirable results. Care must be taken to secure the Listener deployment.
It is recommended that you implement the following recommendations to secure the Listener:
Use the dblsn -x option and specify a TLS-based protocol, HTTPS for example, to verify the server (the notifier) and secure the network communications.
Do not use SMS or UDP listeners because they are unsecured. SMS and UDP are both disabled by default.
All actions configured via the dblsn -l option must either reject invalid input, or be guaranteed to have no harmful effects when arbitrary input is received.
Do not invoke a very powerful or a very general application, for example cmd.com, in an action specification via the dblsn -l option. Deploy and configure a very specific application that does exactly what you need, and no more, and rejects invalid input.
Use message filters to limit the invocation of actions.
Avoid using action variables to specify functionality.
Discuss this page in DocCommentXchange.
|Copyright © 2014, SAP AG or an SAP affiliate company. - SAP Sybase SQL Anywhere 16.0|