Questions about this topic? Sign up to ask in the talk tab.

Unsanitized input split

From NetSec
Revision as of 11:08, 2 December 2012 by JtRIPper (Talk | contribs) (Created page with " Unsanitized input split If input is being split and parsed based on an expected number of delimiters, it is trivial for an attacker to input an extra delimiter and, d...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search
   Unsanitized input split
       If input is being split and parsed based on an expected number of delimiters, it is trivial for an attacker to input an extra delimiter and, depending on the severity of the issue, execute code or engage in other mayhem.
       
   Proof of concept:
 * PHP:
   <?php
     $username = $argv[1];
     if ($username == "admin") {
       $username = $username . ":1";
     } else {
       $username = $username . ":0";
    }
    $username = split(":", $username);
    if($username[1] == "1") {
      echo "Is an admin\n";
    } else {
      echo "Not an admin\n";
    }
   ?>
   Mitigation:
   
   In order to mitigate this attack, sanitize input before splitting. Be certain that there are no malicious delimeters. For example:
   
 * PHP:
   <?php
     $username = str_replace(":", "", $argv[1]);
     if ($username == "admin") {
       $username = $username . ":1";
     } else {
       $username = $username . ":0";
    }
    $username = split(":", $username);
    if($username[1] == "1") {
      echo "Is an admin\n";
    } else {
      echo "Not an admin\n";
    }
   ?>
   
   Auditing: