Problem Note 50612: The SAS® Digital Marketing opt-out table is vulnerable to malicious corruption
 |  |  |  |  |
External customers are able to create additional columns in the opt-out table in SAS Digital Marketing. The update occurs when the e-mail recipient opens a broadcast e-mail message and clicks on the option to opt-out of receiving future broadcasts. Tracked variables within the broadcast create new columns in the opt-out table, if they do not already exist. This ability to update the SAS Digital Marketing opt-out table leaves it vulnerable to malicious corruption or SQL injection attacks. You can minimize the extent of any malicious updates by protecting the table with appropriate database user permissions.
Click the Hot Fix tab in this note to access the hot fix for this issue.
The hot fix for this problem uses an existing advanced server property, PreventDDL. After you apply the hot fix, set the property to true to prevent the DDL statements (CREATE TABLE and ALTER TABLE) from being available in the tracking tier. By default, the property is set to false to enable you to create or alter a response table and opt-out table through bess.war.
After you change the advanced server property PreventDDL, perform the following two steps:
- Reconfigure the bess.war web application using the SAS Digital Marketing Configuration Wizard.
- Redeploy the bess.war web application to all machines where bess.war installed.
If you are using this property, ensure that all variables that you want to track are created using the SAS Digital Marketing Broadcast Creation Wizard. If subsequent tracked variables are added to the broadcast via the editor or externally, then you must manually create the appropriate columns in both the SAS Digital Marketing response table and opt-out table. If you do not create the columns manually, the click events will not be recorded in the response table and the opt-outs will not be recorded in the opt-out table.
See SAS Note 43762 "The SAS Digital Marketing response table is vulnerable to malicious corruption" for additional details.
Operating System and Release Information
| Product Family | Product | System | Product Release | SAS Release | ||
| Reported | Fixed* | Reported | Fixed* | |||
| SAS System | SAS Digital Marketing | Microsoft® Windows® for 64-Bit Itanium-based Systems | 5.3 | |||
| Microsoft Windows Server 2003 Datacenter 64-bit Edition | 5.3 | |||||
| Microsoft Windows Server 2003 Enterprise 64-bit Edition | 5.3 | |||||
| Microsoft Windows XP 64-bit Edition | 5.3 | |||||
| Microsoft® Windows® for x64 | 5.3 | 6.3 | 9.4 TS1M1 | |||
| Microsoft Windows 8 Enterprise 32-bit | 5.3 | 6.3 | 9.4 TS1M1 | |||
| Microsoft Windows 8 Enterprise x64 | 5.3 | 6.3 | 9.4 TS1M1 | |||
| Microsoft Windows 8 Pro 32-bit | 5.3 | 6.3 | 9.4 TS1M1 | |||
| Microsoft Windows 8 Pro x64 | 5.3 | 6.3 | 9.4 TS1M1 | |||
| Microsoft Windows 95/98 | 5.3 | |||||
| Microsoft Windows 2000 Advanced Server | 5.3 | |||||
| Microsoft Windows 2000 Datacenter Server | 5.3 | |||||
| Microsoft Windows 2000 Server | 5.3 | |||||
| Microsoft Windows 2000 Professional | 5.3 | |||||
| Microsoft Windows NT Workstation | 5.3 | |||||
| Microsoft Windows Server 2003 Datacenter Edition | 5.3 | |||||
| Microsoft Windows Server 2003 Enterprise Edition | 5.3 | |||||
| Microsoft Windows Server 2003 Standard Edition | 5.3 | |||||
| Microsoft Windows Server 2003 for x64 | 5.3 | |||||
| Microsoft Windows Server 2008 | 5.3 | 6.3 | 9.4 TS1M1 | |||
| Microsoft Windows Server 2008 R2 | 5.3 | 6.3 | 9.4 TS1M1 | |||
| Microsoft Windows Server 2008 for x64 | 5.3 | 6.3 | 9.4 TS1M1 | |||
| Microsoft Windows Server 2012 Datacenter | 5.3 | 6.3 | 9.4 TS1M1 | |||
| Microsoft Windows Server 2012 Std | 5.3 | 6.3 | 9.4 TS1M1 | |||
| Microsoft Windows XP Professional | 5.3 | |||||
| Windows 7 Enterprise 32 bit | 5.3 | 6.3 | 9.4 TS1M1 | |||
| Windows 7 Enterprise x64 | 5.3 | 6.3 | 9.4 TS1M1 | |||
| Windows 7 Home Premium 32 bit | 5.3 | 6.3 | 9.4 TS1M1 | |||
| Windows 7 Home Premium x64 | 5.3 | 6.3 | 9.4 TS1M1 | |||
| Windows 7 Professional 32 bit | 5.3 | 6.3 | 9.4 TS1M1 | |||
| Windows 7 Professional x64 | 5.3 | 6.3 | 9.4 TS1M1 | |||
| Windows 7 Ultimate 32 bit | 5.3 | 6.3 | 9.4 TS1M1 | |||
| Windows 7 Ultimate x64 | 5.3 | 6.3 | 9.4 TS1M1 | |||
| Windows Millennium Edition (Me) | 5.3 | |||||
| Windows Vista | 5.3 | |||||
| Windows Vista for x64 | 5.3 | |||||
| 64-bit Enabled AIX | 5.3 | 6.3 | 9.4 TS1M1 | |||
| 64-bit Enabled HP-UX | 5.3 | 6.3 | 9.4 TS1M1 | |||
| 64-bit Enabled Solaris | 5.3 | 6.3 | 9.4 TS1M1 | |||
| HP-UX IPF | 5.3 | 6.3 | 9.4 TS1M1 | |||
| Linux | 5.3 | 6.3 | 9.4 TS1M1 | |||
| Linux for x64 | 5.3 | 6.3 | 9.4 TS1M1 | |||
| Solaris for x64 | 5.3 | 6.3 | 9.4 TS1M1 | |||
A fix for this issue for SAS Digital Marketing 5.4_M1 is available at:
http://ftp.sas.com/techsup/download/hotfix/HF2/E12.html#50612A fix for this issue for SAS Digital Marketing 5.41 is available at:
https://tshf.sas.com/techsup/download/hotfix/HF2/F60.html#50612A fix for this issue for SAS Digital Marketing 6.1_M1 is available at:
https://tshf.sas.com/techsup/download/hotfix/HF2/K90.html#50612| Type: | Problem Note |
| Priority: | high |
| Date Modified: | 2013-08-02 14:06:56 |
| Date Created: | 2013-08-02 10:38:41 |