Questions about this topic? Sign up to ask in the talk tab.

Improper signedness

From NetSec
Revision as of 11:06, 2 December 2012 by JtRIPper (Talk | contribs)

Jump to: navigation, search

Improper signedness

  Improper signedness is caused by allowing signed data when expecting unsigned data. This can cause information disclosure or even code execution in extreme circumstances. Our previous "fixed" code in the "Integer Handled as String" section does still have this problem. It is handled as an integer but the sign is not considered, as "-10" is still a valid integer, this will slip through the (int) cast. Therefore, we need to pass this to the abs() function which takes the absolute value of the data.
      
  Mitigation:
  
   PHP:
     <?php
       $id = abs((int)$_GET['id']);
       @mysql_query("SELECT * FROM user WHERE user_id = " . $id . " LIMIT 1");
     ?>
  
  Auditing:
Unparamaterized Statements:

Examples:

Mitigation:
       Rails:
           user = User.Find(:conditions => ['id = ?', params[id]]   
Auditing: