Questions about this topic? Sign up to ask in the talk tab.

Unsanitized input split

From NetSec
Revision as of 01:59, 12 May 2013 by JtRIPper (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

If input is being split and parsed based on an expected number of delimiters, it is trivial for an attacker to input an extra delimiter and, depending on the severity of the issue, execute code or engage in other mayhem.

Proof of concept

 
<?php
  $username = $argv[1];
  if ($username == "admin") {
    $username = $username . ":1";
  } else {
    $username = $username . ":0";
  }
  $username = split(":", $username);
  if($username[1] == "1") {
    echo "Is an admin\n";
  } else {
    echo "Not an admin\n";
  }
?>
 

Mitigation

In order to mitigate this attack, sanitize input before splitting. Be certain that there are no malicious delimeters. For example: 

 
<?php
  $username = str_replace(":", "", $argv[1]);
  if ($username == "admin") {
    $username = $username . ":1";
  } else {
    $username = $username . ":0";
  }
  $username = split(":", $username);
  if($username[1] == "1") {
    echo "Is an admin\n";
  } else {
    echo "Not an admin\n";
  }
?>
 

Auditing

Retrieved from "http://nets.ec/index.php?title=Unsanitized_input_split&oldid=10858"