Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "Delete after length check"

From NetSec
Jump to: navigation, search
(Created page with " Delete after length-check (Empty Where Clauses) Proof of concept: ------------------------ While the example here is based on SQL injection, it can apply to other scena...")
 
Line 34: Line 34:
 
   Auditing:
 
   Auditing:
 
     Follow the same auditing steps as listed for unsafe deletion, with an eye towards where clauses or other empty type comparisons that could lead to problematic outcomes.
 
     Follow the same auditing steps as listed for unsafe deletion, with an eye towards where clauses or other empty type comparisons that could lead to problematic outcomes.
 +
 +
[[Category:Secure programming]]

Revision as of 11:05, 2 December 2012

Delete after length-check (Empty Where Clauses)
 Proof of concept:
 
 ------------------------
 While the example here is based on SQL injection, it can apply to other scenarios as well.  Suppose the following php code:
  <?php
  # pwreset.php
  if (strlen($_GET['reset']) == 16) {
    $pwreset_code = preg_replace_all('/([^\w]+)/',,$_GET['reset']); #alphanumeric only.
    $user_query   = "SELECT * FROM user WHERE pwreset_code= '" . $pwresetcode ."' LIMIT 1";
    $user_data    = @mysql_query($user_query);
    ...
  }
  -----------------------
  pwreset.php?reset='''''''''''
  The generated sql statement:
    SELECT * FROM user WHERE pwreset_code= LIMIT 1;
  As reset codes are generated on reset request (forgot password form), this will leave the first user (usually the admin) of the web app exposed to arbitrary password overwrite.
 Mitigation:
 Instead of checking length before replacement, verify after deletion.
  * PHP:
    <?php
    # pwreset.php
    $pwreset_code = preg_replace_all('/([^\w]+)/',,$_GET['reset']); #alphanumeric only.
    if (strlen($pwreset) == 16) {
      $user_query   = "SELECT * FROM user WHERE pwreset_code= '" . $pwresetcode ."' LIMIT 1";
      $user_data    = @mysql_query($user_query);
      ...
    }
 In the wild:
   A Joomla! framework exploit leveraged this weakness for an administrative password reset (2008). 
   CVE 2008-3861 http://www.exploit-db.com/exploits/6234/ 
  
 Auditing:
   Follow the same auditing steps as listed for unsafe deletion, with an eye towards where clauses or other empty type comparisons that could lead to problematic outcomes.