Questions about this topic? Sign up to ask in the talk tab.
Difference between revisions of "Delete after reformat"
From NetSec
| (One intermediate revision by the same user not shown) | |||
| Line 1: | Line 1: | ||
| − | |||
This vulnerability is caused by reformatting a string and then truncating it to a specific length, this allows an attacker to trigger an error and possibly execute code. For example, if we have a filter that runs mysql_real_escape_string() and then truncates the string to 16 characters, we could run into this problem. The attacker inputs "123456789012345'", when run through mysql_real_escape_string() it becomes "123456789012345\'", when truncated to 16 characters, this string finally becomes "123456789012345\", which would escape the quotes surrounding it. This would at the very least cause an error for information disclosure, but could also lead to sql injection and xss. | This vulnerability is caused by reformatting a string and then truncating it to a specific length, this allows an attacker to trigger an error and possibly execute code. For example, if we have a filter that runs mysql_real_escape_string() and then truncates the string to 16 characters, we could run into this problem. The attacker inputs "123456789012345'", when run through mysql_real_escape_string() it becomes "123456789012345\'", when truncated to 16 characters, this string finally becomes "123456789012345\", which would escape the quotes surrounding it. This would at the very least cause an error for information disclosure, but could also lead to sql injection and xss. | ||
| Line 5: | Line 4: | ||
=== Examples === | === Examples === | ||
* [[PHP]] | * [[PHP]] | ||
| − | + | {{code|text=<source lang="php"> | |
| − | + | <?php | |
| − | + | $username = substring(mysql_real_escape_string($_GET['username']), 0, 16); | |
| − | + | $query = "SELECT * FROM user WHERE username= '" . $username ."'"; | |
| − | + | $user_data = @mysql_query($query); | |
| − | + | ?> | |
| + | </source>}} | ||
| + | |||
* [[Python]] | * [[Python]] | ||
| − | + | {{code|text=<source lang="python"> | |
| − | + | >>> username = "123456789012345'" | |
| − | + | >>> username = username.replace("'", "\\'") | |
| − | + | >>> print("SELECT * FROM users WHERE username = '%s'" % username[0:16]) | |
| − | + | SELECT * FROM users WHERE username = '123456789012345\' | |
| + | </source>}} | ||
| + | |||
* [[Perl]] | * [[Perl]] | ||
| − | + | {{code|text=<source lang="perl"> | |
| − | + | my $username = "123456789012345'"; | |
| − | + | $username =~ s/\'/\\'/g; | |
| − | + | $username = substr($username, 0, 16); | |
| + | print "$username\n"; | ||
| + | </source>}} | ||
| + | |||
* [[Ruby]] | * [[Ruby]] | ||
| Line 28: | Line 34: | ||
* [[PHP]] | * [[PHP]] | ||
| − | + | {{code|text=<source lang="php"> | |
| − | + | <?php | |
| − | + | $username = mysql_real_escape_string(substring($_GET['username'], 0, 16)); | |
| − | + | if(strlen($username) == 16){ | |
| − | + | $query = "SELECT * FROM user WHERE username= '" . $username ."'"; | |
| − | + | $user_data = @mysql_query($query); | |
| − | + | ... | |
| − | + | } | |
| − | + | ?> | |
| + | </source>}} | ||
* [[Python]] | * [[Python]] | ||
| − | + | {{code|text=<source lang="python"> | |
| − | + | >>> username = "123456789012345'" | |
| − | + | >>> username = username[0:16].replace("'", "\\'") | |
| − | + | >>> if len(username) == 16: | |
| − | + | ... print("SELECT * FROM users WHERE username = '%s'" % username) | |
| − | + | </source>}} | |
| − | + | ||
| − | + | * [[Perl]] | |
| − | + | {{code|text=<source lang="perl"> | |
| − | + | my $username = "123456789012345'"; | |
| − | + | $username = substr($username, 0, 16); | |
| − | + | $username =~ s/\'/\\'/g; | |
| − | + | if (length $username == 16){ | |
| + | print "$username\n"; | ||
| + | } | ||
| + | </source>}} | ||
| + | |||
| + | =Auditing= | ||
[[Category:Secure programming]] | [[Category:Secure programming]] | ||
Latest revision as of 02:48, 12 May 2013
This vulnerability is caused by reformatting a string and then truncating it to a specific length, this allows an attacker to trigger an error and possibly execute code. For example, if we have a filter that runs mysql_real_escape_string() and then truncates the string to 16 characters, we could run into this problem. The attacker inputs "123456789012345'", when run through mysql_real_escape_string() it becomes "123456789012345\'", when truncated to 16 characters, this string finally becomes "123456789012345\", which would escape the quotes surrounding it. This would at the very least cause an error for information disclosure, but could also lead to sql injection and xss.
Examples
<?php $username = substring(mysql_real_escape_string($_GET['username']), 0, 16); $query = "SELECT * FROM user WHERE username= '" . $username ."'"; $user_data = @mysql_query($query); ?> |
>>> username = "123456789012345'" >>> username = username.replace("'", "\\'") >>> print("SELECT * FROM users WHERE username = '%s'" % username[0:16]) SELECT * FROM users WHERE username = '123456789012345\' |
my $username = "123456789012345'"; $username =~ s/\'/\\'/g; $username = substr($username, 0, 16); print "$username\n"; |
Mitigation
This attack can be mitigated by truncating the input before reformatting and checking the length (failing if not correct).
<?php $username = mysql_real_escape_string(substring($_GET['username'], 0, 16)); if(strlen($username) == 16){ $query = "SELECT * FROM user WHERE username= '" . $username ."'"; $user_data = @mysql_query($query); ... } ?> |
>>> username = "123456789012345'" >>> username = username[0:16].replace("'", "\\'") >>> if len(username) == 16: ... print("SELECT * FROM users WHERE username = '%s'" % username) |
my $username = "123456789012345'"; $username = substr($username, 0, 16); $username =~ s/\'/\\'/g; if (length $username == 16){ print "$username\n"; } |
