Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "Delete after reformat"

From NetSec
Jump to: navigation, search
(Created page with "Deletion or truncation after reformat This vulnerability is caused by reformatting a string and then truncating it to a specific length, this allows an attacker to trigger an ...")
 
 
(3 intermediate revisions by 2 users not shown)
Line 1: Line 1:
Deletion or truncation after reformat
+
This vulnerability is caused by reformatting a string and then truncating it to a specific length, this allows an attacker to trigger an error and possibly execute code. For example, if we have a filter that runs mysql_real_escape_string() and then truncates the string to 16 characters, we could run into this problem. The attacker inputs "123456789012345'", when run through mysql_real_escape_string() it becomes "123456789012345\'", when truncated to 16 characters, this string finally becomes "123456789012345\", which would escape the quotes surrounding it. This would at the very least cause an error for information disclosure, but could also lead to sql injection and xss.
  This vulnerability is caused by reformatting a string and then truncating it to a specific length, this allows an attacker to trigger an error and possibly execute code. For example, if we have a filter that runs mysql_real_escape_string() and then truncates the string to 16 characters, we could run into this problem. The attacker inputs "123456789012345'", when run through mysql_real_escape_string() it becomes "123456789012345\'", when truncated to 16 characters, this string finally becomes "123456789012345\", which would escape the quotes surrounding it. This would at the very least cause an error for information disclosure, but could also lead to sql injection and xss.
+
 
  Examples:
+
 
  * PHP:
+
=== Examples ===
    <?php
+
* [[PHP]]
      $username = substring(mysql_real_escape_string($_GET['username']), 0, 16);
+
{{code|text=<source lang="php">
      $query  = "SELECT * FROM user WHERE username= '" . $username ."'";
+
<?php
      $user_data    = @mysql_query($query);
+
  $username = substring(mysql_real_escape_string($_GET['username']), 0, 16);
    ?>
+
  $query  = "SELECT * FROM user WHERE username= '" . $username ."'";
   
+
  $user_data    = @mysql_query($query);
    * Python:
+
?>
      >>> username = "123456789012345'"
+
</source>}}
      >>> username = username.replace("'", "\\'")
+
 
      >>> print("SELECT * FROM users WHERE username = '%s'" % username[0:16])
+
* [[Python]]
      SELECT * FROM users WHERE username = '123456789012345\'
+
{{code|text=<source lang="python">
     
+
>>> username = "123456789012345'"
    * Perl:
+
>>> username = username.replace("'", "\\'")
      my $username = "123456789012345'";
+
>>> print("SELECT * FROM users WHERE username = '%s'" % username[0:16])
      $username =~ s/\'/\\'/g;
+
SELECT * FROM users WHERE username = '123456789012345\'
      $username = substr($username, 0, 16);
+
</source>}}
      print "$username\n";
+
 
    Ruby:
+
* [[Perl]]
  Mitigation:
+
{{code|text=<source lang="perl">
    This attack can be mitigated by truncating the input before reformatting and checking the length (failing if not correct).
+
  my $username = "123456789012345'";
 +
  $username =~ s/\'/\\'/g;
 +
  $username = substr($username, 0, 16);
 +
  print "$username\n";
 +
</source>}}
 +
 
 +
* [[Ruby]]
 +
 
 +
=== Mitigation ===
 +
This attack can be mitigated by truncating the input before reformatting and checking the length (failing if not correct).
 
      
 
      
  * PHP:
+
* [[PHP]]
    <?php
+
{{code|text=<source lang="php">
      $username = mysql_real_escape_string(substring($_GET['username'], 0, 16));
+
<?php
      if(strlen($username) == 16){
+
  $username = mysql_real_escape_string(substring($_GET['username'], 0, 16));
          $query  = "SELECT * FROM user WHERE username= '" . $username ."'";
+
  if(strlen($username) == 16){
          $user_data    = @mysql_query($query);
+
    $query  = "SELECT * FROM user WHERE username= '" . $username ."'";
          ...
+
    $user_data    = @mysql_query($query);
      }
+
    ...
    ?>
+
  }
   
+
?>
    * Python:
+
</source>}}
      >>> username = "123456789012345'"
+
* [[Python]]
      >>> username = username[0:16].replace("'", "\\'")
+
{{code|text=<source lang="python">
      >>> if len(username) == 16:
+
>>> username = "123456789012345'"
      ...        print("SELECT * FROM users WHERE username = '%s'" % username)
+
>>> username = username[0:16].replace("'", "\\'")
    * Perl:   
+
>>> if len(username) == 16:
      my $username = "123456789012345'";
+
...        print("SELECT * FROM users WHERE username = '%s'" % username)
      $username = substr($username, 0, 16);
+
</source>}}
      $username =~ s/\'/\\'/g;
+
 
      if (length $username == 16){
+
* [[Perl]]
        print "$username\n";
+
{{code|text=<source lang="perl">
      }
+
my $username = "123456789012345'";
   
+
$username = substr($username, 0, 16);
  Auditing:
+
$username =~ s/\'/\\'/g;
 +
if (length $username == 16){
 +
  print "$username\n";
 +
}
 +
</source>}}
 +
 
 +
=Auditing=
 +
 
 +
[[Category:Secure programming]]

Latest revision as of 01:48, 12 May 2013

This vulnerability is caused by reformatting a string and then truncating it to a specific length, this allows an attacker to trigger an error and possibly execute code. For example, if we have a filter that runs mysql_real_escape_string() and then truncates the string to 16 characters, we could run into this problem. The attacker inputs "123456789012345'", when run through mysql_real_escape_string() it becomes "123456789012345\'", when truncated to 16 characters, this string finally becomes "123456789012345\", which would escape the quotes surrounding it. This would at the very least cause an error for information disclosure, but could also lead to sql injection and xss.


Examples

 
<?php
  $username = substring(mysql_real_escape_string($_GET['username']), 0, 16);
  $query   = "SELECT * FROM user WHERE username= '" . $username ."'";
  $user_data    = @mysql_query($query);
?>
 
 
>>> username = "123456789012345'"
>>> username = username.replace("'", "\\'")
>>> print("SELECT * FROM users WHERE username = '%s'" % username[0:16])
SELECT * FROM users WHERE username = '123456789012345\'
 
  my $username = "123456789012345'";
  $username =~ s/\'/\\'/g;
  $username = substr($username, 0, 16);
  print "$username\n";
 

Mitigation

This attack can be mitigated by truncating the input before reformatting and checking the length (failing if not correct).

 
<?php
  $username = mysql_real_escape_string(substring($_GET['username'], 0, 16));
  if(strlen($username) == 16){
    $query   = "SELECT * FROM user WHERE username= '" . $username ."'";
    $user_data    = @mysql_query($query);
    ...
  }
?>
 
 
>>> username = "123456789012345'"
>>> username = username[0:16].replace("'", "\\'")
>>> if len(username) == 16:
...        print("SELECT * FROM users WHERE username = '%s'" % username)
 
 
my $username = "123456789012345'";
$username = substr($username, 0, 16);
$username =~ s/\'/\\'/g;
if (length $username == 16){
  print "$username\n";
}
 

Auditing