the WAF sees the SELECT statement as a potential SQL injection attack and blocks it. Can this be done as a POST? (although still bad practice for apps to use SQL in GETS or POSTs). Ask your WAF admin if a policy exception can be made for your iTop intance.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
The "SELECT" statement which is used, looks like SQL, but it is not, it is OQL. The statement passed cannot be anything else than a SELECT and only a single statement is allowed, then your OQL will be checked against user rights before being translated in SQL and executed.
iTop never ever post or put in url any SQL statement.
It's a false positive, pretty common.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
To answer the dabase questiont: no, it cannot, those are SELECT statement which do nothing to the database. When writing to iTop, we don't use OQL, in fact there is no write statement in OQL, just read...
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Web Application Firewall
This transfer is blocked by a web application firewall.
This transfer is blocked.
URL http://www.branchbit.com.mx/web/pages/UI.php?operation=search&c%5Bmenu%5D=ConfigManagementOverview&filter=%5B%22SELECT%20%60PC%60%20FROM%20PC%20AS%20% 60PC %60%20WHERE%201%22%2C%5B%5D%2C%5B%5D%5D
Event ID 30000078
event type signature
Do you know why this happens, I request your urgent help
This sounds like an issue on the web application firewall; not with iTop itself.
Question, can this damage my database?
I think the web application firewall just blocks the request, so I don't think so.
the WAF sees the SELECT statement as a potential SQL injection attack and blocks it. Can this be done as a POST? (although still bad practice for apps to use SQL in GETS or POSTs). Ask your WAF admin if a policy exception can be made for your iTop intance.
The "SELECT" statement which is used, looks like SQL, but it is not, it is OQL. The statement passed cannot be anything else than a SELECT and only a single statement is allowed, then your OQL will be checked against user rights before being translated in SQL and executed.
iTop never ever post or put in url any SQL statement.
It's a false positive, pretty common.
To answer the dabase questiont: no, it cannot, those are SELECT statement which do nothing to the database. When writing to iTop, we don't use OQL, in fact there is no write statement in OQL, just read...
Hello,
As a reference :