This vulnerability is caused by reformatting a string and then truncating it to a specific length, this allows an attacker to trigger an error and possibly execute code. For example, if we have a filter that runs mysql_real_escape_string() and then truncates the string to 16 characters, we could run into this problem. The attacker inputs "123456789012345'", when run through mysql_real_escape_string() it becomes "123456789012345\'", when truncated to 16 characters, this string finally becomes "123456789012345\", which would escape the quotes surrounding it. This would at the very least cause an error for information disclosure, but could also lead to sql injection and xss.
Examples
<?php
$username = substring(mysql_real_escape_string($_GET['username']), 0, 16);
$query = "SELECT * FROM user WHERE username= '" . $username ."'";
$user_data = @mysql_query($query);
?>
|
>>> username = "123456789012345'"
>>> username = username.replace("'", "\\'")
>>> print("SELECT * FROM users WHERE username = '%s'" % username[0:16])
SELECT * FROM users WHERE username = '123456789012345\'
|
my $username = "123456789012345'";
$username =~ s/\'/\\'/g;
$username = substr($username, 0, 16);
print "$username\n";
|
Mitigation
This attack can be mitigated by truncating the input before reformatting and checking the length (failing if not correct).
<?php
$username = mysql_real_escape_string(substring($_GET['username'], 0, 16));
if(strlen($username) == 16){
$query = "SELECT * FROM user WHERE username= '" . $username ."'";
$user_data = @mysql_query($query);
...
}
?>
|
>>> username = "123456789012345'"
>>> username = username[0:16].replace("'", "\\'")
>>> if len(username) == 16:
... print("SELECT * FROM users WHERE username = '%s'" % username)
|
my $username = "123456789012345'";
$username = substr($username, 0, 16);
$username =~ s/\'/\\'/g;
if (length $username == 16){
print "$username\n";
}
|
Auditing