Problem Note 43762: The SAS® Digital Marketing response table is vulnerable to malicious corruption
 |  |  |  |  |
External customers are able to create and update response tables and columns in SAS Digital Marketing. The update occurs when the e-mail recipient opens a broadcast e-mail message and clicks the links. However, this ability to update the SAS Digital Marketing response table leaves it vulnerable to malicious corruption or SQL injection attacks. You can minimize the extent of any malicious updates by protecting the table with appropriate database user permissions.
For SAS Digital Marketing 5.4_M1, click the Hot Fix tab in this note to access the hot fix for this issue.
A hot fix for SAS Digital Marketing 5.3 is available upon request from Technical Support.
The hot fix for this problem introduces a new advanced server property, PreventDDL. After you apply the hot fix, set the property to true to prevent the DDL statements (CREATE TABLE and ALTER TABLE) from being available in the tracking tier. By default, the property is set to false to enable you to create or alter a response table through bess.war.
After you change the advanced server property PreventDDL, perform the following two steps:
- Reconfigure the bess.war web application using the SAS Digital Marketing Configuration Wizard.
- Redeploy the bess.war web application to all machines where bess.war installed.
If you are using this property, ensure that all variables that you want to track are created using the SAS Digital Marketing broadcast creation wizard. If subsequent tracked variables are added to the broadcast via the editor or externally, then you must manually create the appropriate columns in the SAS Digital Marketing response table. If you do not create the columns manually, the click events will not be recorded.
The hot fix allows for the creation of standard columns in the response table, limited to these: BESSEVENT, BESSTIME, JAVATIME, REMOTEHOST, REMOTEUSER, REMOTEIPADDRESS, CONTENT,LINKID, LINK, BROWSER, AOL, CT, APPID, RSS, ITEM, BROADCAST, RTC, S1, MM_LAT, MM_LONG, MM_ZIP, MM_AREA, MM_CITY, MM_COUNTRY.
See SAS Note 50612 "The SAS Digital Marketing opt-out table is vulnerable to malicious corruption, for additional information."
Operating System and Release Information
| Product Family | Product | System | Product Release | SAS Release | ||
| Reported | Fixed* | Reported | Fixed* | |||
| SAS System | SAS Digital Marketing | z/OS | 5.1 | 5.41 | 9.1 TS1M3 SP4 | 9.3 TS1M0 |
| Microsoft® Windows® for 64-Bit Itanium-based Systems | 5.1 | 5.41 | 9.1 TS1M3 SP4 | 9.3 TS1M0 | ||
| Microsoft Windows Server 2003 Datacenter 64-bit Edition | 5.1 | 5.41 | 9.1 TS1M3 SP4 | 9.3 TS1M0 | ||
| Microsoft Windows Server 2003 Enterprise 64-bit Edition | 5.1 | 5.41 | 9.1 TS1M3 SP4 | 9.3 TS1M0 | ||
| Microsoft Windows XP 64-bit Edition | 5.1 | 5.41 | 9.1 TS1M3 SP4 | 9.3 TS1M0 | ||
| Microsoft Windows 2000 Advanced Server | 5.1 | 9.1 TS1M3 SP4 | ||||
| Microsoft Windows 2000 Datacenter Server | 5.1 | 9.1 TS1M3 SP4 | ||||
| Microsoft Windows 2000 Server | 5.1 | 9.1 TS1M3 SP4 | ||||
| Microsoft Windows 2000 Professional | 5.1 | 9.1 TS1M3 SP4 | ||||
| Microsoft Windows NT Workstation | 5.1 | 9.1 TS1M3 SP4 | ||||
| Microsoft Windows Server 2003 Datacenter Edition | 5.1 | 5.41 | 9.1 TS1M3 SP4 | 9.3 TS1M0 | ||
| Microsoft Windows Server 2003 Enterprise Edition | 5.1 | 5.41 | 9.1 TS1M3 SP4 | 9.3 TS1M0 | ||
| Microsoft Windows Server 2003 Standard Edition | 5.1 | 5.41 | 9.1 TS1M3 SP4 | 9.3 TS1M0 | ||
| Microsoft Windows XP Professional | 5.1 | 5.41 | 9.1 TS1M3 SP4 | 9.3 TS1M0 | ||
| Windows Vista | 5.1 | 5.41 | 9.1 TS1M3 SP4 | 9.3 TS1M0 | ||
| Windows Vista for x64 | 5.1 | 5.41 | 9.1 TS1M3 SP4 | 9.3 TS1M0 | ||
| 64-bit Enabled AIX | 5.1 | 5.41 | 9.1 TS1M3 SP4 | 9.3 TS1M0 | ||
| 64-bit Enabled HP-UX | 5.1 | 5.41 | 9.1 TS1M3 SP4 | 9.3 TS1M0 | ||
| 64-bit Enabled Solaris | 5.1 | 5.41 | 9.1 TS1M3 SP4 | 9.3 TS1M0 | ||
| HP-UX IPF | 5.1 | 5.41 | 9.1 TS1M3 SP4 | 9.3 TS1M0 | ||
| Linux | 5.1 | 5.41 | 9.1 TS1M3 SP4 | 9.3 TS1M0 | ||
| Linux on Itanium | 5.1 | 5.41 | 9.1 TS1M3 SP4 | 9.3 TS1M0 | ||
| OpenVMS Alpha | 5.1 | 5.41 | 9.1 TS1M3 SP4 | 9.3 TS1M0 | ||
| Solaris for x64 | 5.1 | 5.41 | 9.1 TS1M3 SP4 | 9.3 TS1M0 | ||
| Tru64 UNIX | 5.1 | 5.41 | 9.1 TS1M3 SP4 | 9.3 TS1M0 | ||