Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "Delete after reformat"

From NetSec
Jump to: navigation, search
Line 1: Line 1:
 
Deletion or truncation after reformat
 
Deletion or truncation after reformat
  This vulnerability is caused by reformatting a string and then truncating it to a specific length, this allows an attacker to trigger an error and possibly execute code. For example, if we have a filter that runs mysql_real_escape_string() and then truncates the string to 16 characters, we could run into this problem. The attacker inputs "123456789012345'", when run through mysql_real_escape_string() it becomes "123456789012345\'", when truncated to 16 characters, this string finally becomes "123456789012345\", which would escape the quotes surrounding it. This would at the very least cause an error for information disclosure, but could also lead to sql injection and xss.
+
This vulnerability is caused by reformatting a string and then truncating it to a specific length, this allows an attacker to trigger an error and possibly execute code. For example, if we have a filter that runs mysql_real_escape_string() and then truncates the string to 16 characters, we could run into this problem. The attacker inputs "123456789012345'", when run through mysql_real_escape_string() it becomes "123456789012345\'", when truncated to 16 characters, this string finally becomes "123456789012345\", which would escape the quotes surrounding it. This would at the very least cause an error for information disclosure, but could also lead to sql injection and xss.
  Examples:
+
 
  * PHP:
+
 
 +
=== Examples ===
 +
* [[PHP]]
 
     <?php
 
     <?php
 
       $username = substring(mysql_real_escape_string($_GET['username']), 0, 16);
 
       $username = substring(mysql_real_escape_string($_GET['username']), 0, 16);
Line 9: Line 11:
 
     ?>
 
     ?>
 
      
 
      
    * Python:
+
* [[Python]]
 
       >>> username = "123456789012345'"
 
       >>> username = "123456789012345'"
 
       >>> username = username.replace("'", "\\'")
 
       >>> username = username.replace("'", "\\'")
Line 15: Line 17:
 
       SELECT * FROM users WHERE username = '123456789012345\'
 
       SELECT * FROM users WHERE username = '123456789012345\'
 
        
 
        
    * Perl:
+
* [[Perl]]
 
       my $username = "123456789012345'";
 
       my $username = "123456789012345'";
 
       $username =~ s/\'/\\'/g;
 
       $username =~ s/\'/\\'/g;
 
       $username = substr($username, 0, 16);
 
       $username = substr($username, 0, 16);
 
       print "$username\n";
 
       print "$username\n";
    Ruby:
+
* [[Ruby]]
  Mitigation:
+
 
    This attack can be mitigated by truncating the input before reformatting and checking the length (failing if not correct).
+
=== Mitigation ===
 +
This attack can be mitigated by truncating the input before reformatting and checking the length (failing if not correct).
 
      
 
      
  * PHP:
+
* [[PHP]]
 
     <?php
 
     <?php
 
       $username = mysql_real_escape_string(substring($_GET['username'], 0, 16));
 
       $username = mysql_real_escape_string(substring($_GET['username'], 0, 16));
Line 34: Line 37:
 
     ?>
 
     ?>
 
      
 
      
    * Python:
+
* [[Python]]
 
       >>> username = "123456789012345'"
 
       >>> username = "123456789012345'"
 
       >>> username = username[0:16].replace("'", "\\'")
 
       >>> username = username[0:16].replace("'", "\\'")

Revision as of 02:39, 12 May 2013

Deletion or truncation after reformat This vulnerability is caused by reformatting a string and then truncating it to a specific length, this allows an attacker to trigger an error and possibly execute code. For example, if we have a filter that runs mysql_real_escape_string() and then truncates the string to 16 characters, we could run into this problem. The attacker inputs "123456789012345'", when run through mysql_real_escape_string() it becomes "123456789012345\'", when truncated to 16 characters, this string finally becomes "123456789012345\", which would escape the quotes surrounding it. This would at the very least cause an error for information disclosure, but could also lead to sql injection and xss.


Examples

    <?php
      $username = substring(mysql_real_escape_string($_GET['username']), 0, 16);
      $query   = "SELECT * FROM user WHERE username= '" . $username ."'";
      $user_data    = @mysql_query($query);
    ?>
    

     >>> username = "123456789012345'"
     >>> username = username.replace("'", "\\'")
     >>> print("SELECT * FROM users WHERE username = '%s'" % username[0:16])
     SELECT * FROM users WHERE username = '123456789012345\'
     

     my $username = "123456789012345'";
     $username =~ s/\'/\\'/g;
     $username = substr($username, 0, 16);
     print "$username\n";

Mitigation

This attack can be mitigated by truncating the input before reformatting and checking the length (failing if not correct). 

    <?php
      $username = mysql_real_escape_string(substring($_GET['username'], 0, 16));
      if(strlen($username) == 16){
         $query   = "SELECT * FROM user WHERE username= '" . $username ."'";
         $user_data    = @mysql_query($query);
         ...
      }
    ?>
    

     >>> username = "123456789012345'"
     >>> username = username[0:16].replace("'", "\\'")
     >>> if len(username) == 16:
     ...        print("SELECT * FROM users WHERE username = '%s'" % username)
   * Perl:    
     my $username = "123456789012345'";
     $username = substr($username, 0, 16);
     $username =~ s/\'/\\'/g;
     if (length $username == 16){
       print "$username\n";
     }
    
 Auditing:
Retrieved from "http://nets.ec/index.php?title=Delete_after_reformat&oldid=10838"