Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "Delete after reformat"

From NetSec
Jump to: navigation, search
Line 5: Line 5:
 
=== Examples ===
 
=== Examples ===
 
* [[PHP]]
 
* [[PHP]]
    <?php
+
{{code|text=<source lang="php">
      $username = substring(mysql_real_escape_string($_GET['username']), 0, 16);
+
<?php
      $query  = "SELECT * FROM user WHERE username= '" . $username ."'";
+
  $username = substring(mysql_real_escape_string($_GET['username']), 0, 16);
      $user_data    = @mysql_query($query);
+
  $query  = "SELECT * FROM user WHERE username= '" . $username ."'";
    ?>
+
  $user_data    = @mysql_query($query);
   
+
?>
 +
</source>}}
 +
 
 
* [[Python]]
 
* [[Python]]
      >>> username = "123456789012345'"
+
{{code|text=<source lang="python">
      >>> username = username.replace("'", "\\'")
+
>>> username = "123456789012345'"
      >>> print("SELECT * FROM users WHERE username = '%s'" % username[0:16])
+
>>> username = username.replace("'", "\\'")
      SELECT * FROM users WHERE username = '123456789012345\'
+
>>> print("SELECT * FROM users WHERE username = '%s'" % username[0:16])
     
+
SELECT * FROM users WHERE username = '123456789012345\'
 +
</source>}}
 +
 
 
* [[Perl]]
 
* [[Perl]]
      my $username = "123456789012345'";
+
{{code|text=<source lang="perl">
      $username =~ s/\'/\\'/g;
+
  my $username = "123456789012345'";
      $username = substr($username, 0, 16);
+
  $username =~ s/\'/\\'/g;
      print "$username\n";
+
  $username = substr($username, 0, 16);
 +
  print "$username\n";
 +
</source>}}
 +
 
 
* [[Ruby]]
 
* [[Ruby]]
  
Line 28: Line 35:
 
      
 
      
 
* [[PHP]]
 
* [[PHP]]
    <?php
+
{{code|text=<source lang="php">
      $username = mysql_real_escape_string(substring($_GET['username'], 0, 16));
+
<?php
      if(strlen($username) == 16){
+
  $username = mysql_real_escape_string(substring($_GET['username'], 0, 16));
          $query  = "SELECT * FROM user WHERE username= '" . $username ."'";
+
  if(strlen($username) == 16){
          $user_data    = @mysql_query($query);
+
    $query  = "SELECT * FROM user WHERE username= '" . $username ."'";
          ...
+
    $user_data    = @mysql_query($query);
      }
+
    ...
    ?>
+
  }
   
+
?>
 +
</source>}}
 
* [[Python]]
 
* [[Python]]
      >>> username = "123456789012345'"
+
{{code|text=<source lang="python">
      >>> username = username[0:16].replace("'", "\\'")
+
>>> username = "123456789012345'"
      >>> if len(username) == 16:
+
>>> username = username[0:16].replace("'", "\\'")
      ...        print("SELECT * FROM users WHERE username = '%s'" % username)
+
>>> if len(username) == 16:
    * Perl:   
+
...        print("SELECT * FROM users WHERE username = '%s'" % username)
      my $username = "123456789012345'";
+
</source>}}
      $username = substr($username, 0, 16);
+
 
      $username =~ s/\'/\\'/g;
+
* [[Perl]]
      if (length $username == 16){
+
{{code|text=<source lang="perl">
        print "$username\n";
+
my $username = "123456789012345'";
      }
+
$username = substr($username, 0, 16);
   
+
$username =~ s/\'/\\'/g;
 +
if (length $username == 16){
 +
  print "$username\n";
 +
}
 +
</source>}}
 +
 
 
   Auditing:
 
   Auditing:
  
 
[[Category:Secure programming]]
 
[[Category:Secure programming]]

Revision as of 01:47, 12 May 2013

Deletion or truncation after reformat This vulnerability is caused by reformatting a string and then truncating it to a specific length, this allows an attacker to trigger an error and possibly execute code. For example, if we have a filter that runs mysql_real_escape_string() and then truncates the string to 16 characters, we could run into this problem. The attacker inputs "123456789012345'", when run through mysql_real_escape_string() it becomes "123456789012345\'", when truncated to 16 characters, this string finally becomes "123456789012345\", which would escape the quotes surrounding it. This would at the very least cause an error for information disclosure, but could also lead to sql injection and xss.


Examples

 
<?php
  $username = substring(mysql_real_escape_string($_GET['username']), 0, 16);
  $query   = "SELECT * FROM user WHERE username= '" . $username ."'";
  $user_data    = @mysql_query($query);
?>
 
 
>>> username = "123456789012345'"
>>> username = username.replace("'", "\\'")
>>> print("SELECT * FROM users WHERE username = '%s'" % username[0:16])
SELECT * FROM users WHERE username = '123456789012345\'
 
  my $username = "123456789012345'";
  $username =~ s/\'/\\'/g;
  $username = substr($username, 0, 16);
  print "$username\n";
 

Mitigation

This attack can be mitigated by truncating the input before reformatting and checking the length (failing if not correct).

 
<?php
  $username = mysql_real_escape_string(substring($_GET['username'], 0, 16));
  if(strlen($username) == 16){
    $query   = "SELECT * FROM user WHERE username= '" . $username ."'";
    $user_data    = @mysql_query($query);
    ...
  }
?>
 
 
>>> username = "123456789012345'"
>>> username = username[0:16].replace("'", "\\'")
>>> if len(username) == 16:
...        print("SELECT * FROM users WHERE username = '%s'" % username)
 
 
my $username = "123456789012345'";
$username = substr($username, 0, 16);
$username =~ s/\'/\\'/g;
if (length $username == 16){
  print "$username\n";
}
 
 Auditing: