Date: Sun, 22 Jun 2008 00:37:09 -0700
Reply-To: RolandRB <rolandberry@HOTMAIL.COM>
Sender: "SAS(r) Discussion" <SAS-L@LISTSERV.UGA.EDU>
From: RolandRB <rolandberry@HOTMAIL.COM>
Subject: all your sas macros can be hacked
Content-Type: text/plain; charset=ISO-8859-1
You would be surprised to see how easy it is to hack your sas macros.
There are macros called "old-style macros" that have been part of the
sas language for a long time that can be used to substitute code. And
you can use views to insert malicious code inside your production
macros. If your macros are doing something important like dealing with
money or doing regulatory work then you had better make sure your
macros can not be hacked. I explain how hacking can be done using old-
style macros and using views on the following page. I explain how you
can guard against it. I have just updated the page to show an anti-
hack attempt that will not work. It explains why.
If anyone wants me to do work on their production macros to hopefully
eliminate all attempts at hacking then I am available from the start
of August 2008.