Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "Improper signedness"

From NetSec
Jump to: navigation, search
(Created page with "Improper signedness Improper signedness is caused by allowing signed data when expecting unsigned data. This can cause information disclosure or even code execution in extreme...")
 
 
(3 intermediate revisions by 2 users not shown)
Line 1: Line 1:
Improper signedness
+
'''Improper signedness''' is caused by allowing signed data when expecting unsigned data. This can cause information disclosure or even code execution in extreme circumstances. Our previous "fixed" code in the "Integer Handled as String" section does still have this problem. It is handled as an integer but the sign is not considered, as "-10" is still a valid integer, this will slip through the (int) cast. Therefore, we need to pass this to the abs() function which takes the absolute value of the data.
  Improper signedness is caused by allowing signed data when expecting unsigned data. This can cause information disclosure or even code execution in extreme circumstances. Our previous "fixed" code in the "Integer Handled as String" section does still have this problem. It is handled as an integer but the sign is not considered, as "-10" is still a valid integer, this will slip through the (int) cast. Therefore, we need to pass this to the abs() function which takes the absolute value of the data.
+
 
        
 
        
  Mitigation:
+
=Mitigation=
 +
==[[PHP]]==
 +
{{code|text=<source lang="php">
 +
<?php
 +
  $id = abs((int)$_GET['id']);
 +
  @mysql_query("SELECT * FROM user WHERE user_id = " . $id . " LIMIT 1");
 +
?></source>}}
 
    
 
    
    PHP:
+
=Auditing=
      <?php
+
==Unparamaterized Statements==
        $id = abs((int)$_GET['id']);
+
        @mysql_query("SELECT * FROM user WHERE user_id = " . $id . " LIMIT 1");
+
      ?>
+
 
+
  Auditing:
+
Unparamaterized Statements:
+
 
   
 
   
Examples:
+
==Examples==
 
   
 
   
Mitigation:
+
=Mitigation=
        Rails:
+
 
            user = User.Find(:conditions => ['id = ?', params[id]]   
+
==Rails==
Auditing:
+
{{code|text=<source lang="ruby">
 +
user = User.Find(:conditions => ['id = ?', params[id].to_i.abs])    
 +
</source>}}
 +
 
 +
=Auditing=
 +
 
 +
[[Category:Secure programming]]

Latest revision as of 02:51, 12 May 2013

Improper signedness is caused by allowing signed data when expecting unsigned data. This can cause information disclosure or even code execution in extreme circumstances. Our previous "fixed" code in the "Integer Handled as String" section does still have this problem. It is handled as an integer but the sign is not considered, as "-10" is still a valid integer, this will slip through the (int) cast. Therefore, we need to pass this to the abs() function which takes the absolute value of the data.

Mitigation

PHP

 
<?php
  $id = abs((int)$_GET['id']);
  @mysql_query("SELECT * FROM user WHERE user_id = " . $id . " LIMIT 1");
?>

Auditing

Unparamaterized Statements

Examples

Mitigation

Rails

 
user = User.Find(:conditions => ['id = ?', params[id].to_i.abs])   
 

Auditing

Retrieved from "http://nets.ec/index.php?title=Improper_signedness&oldid=10849"