robertkjr

robertkjr

  • NA
  • 61
  • 0

C# & VB.NET RANT!

Nov 19 2004 11:14 AM
The .EXE files... Have you ever opened them in notepad? You can view every text variable set in your program! How can Microsoft compile them this way?? Steps to reproduce this security hole: 1) Create a program in .NET and compile it to EXE. Program needs to have at least this in it: string t; t = "hello I'm a security hole"; 2) Open Notepad 3) Turn the wordwrap on. 4) Open the EXE file created by .NET (or maybe even earlier compilers) in notepad. 5) Scroll down a ways till you get to this section where there are a list of variable names. 6) Just passed that is the variables contents listed in order double spaced. So the above example would look like this in the EXE file - h e l l o I ' m a s e c u r i t y h o l e Say you have a password that you set... which obviously is not a thing to do anymore ever. password = "password"; You could search in your exe file, and find 'p a s s w o r d' Isn't that crazy? Why I say... Why!? The problem in my case, is that I have a program with lots of database calls. Well these calls I use a cmdStr = "Select whatever from whatever" Well that ends up in the exe file as plain text double spaced. I don't want anybody seeing that stuff!

Answers (4)