How does ServiceNow deals with SQL prints?
Just as with other cloud platforms, ServiceNow also displays statements on the console when debugging a script. Among other things, these can be SQL statements, which represent the database queries that the program executes to fetch or modify data in the database. In ServiceNow, the GlideRecord API is primarily responsible for managing database interactions.
Why is this an issue?
Among the various data stored in an SQL database, certain elements include sensitive information such as passwords, names, addresses, and more. This data is intended to remain inaccessible to end users.
However, enabling the glide.db.loguser System Property parameter and setting it to true, along with revealing SQL details within error messages on a web page, could potentially empower an attacker to gain unauthorized access to this sensitive data.
How do I fix it?
To protect your instance, it is important to change the System Property responsible for printing the SQL statements. To do so, follow these steps:
In the Filter Navigator, type and enter sys_properties.list.
Search for
glide.db.loguser.Set Value column to false.