Questions about this topic? Sign up to ask in the talk tab.

Difference between revisions of "Unsanitized input split"

From NetSec
Jump to: navigation, search
(Created page with " Unsanitized input split If input is being split and parsed based on an expected number of delimiters, it is trivial for an attacker to input an extra delimiter and, d...")
(No difference)

Revision as of 12:08, 2 December 2012

   Unsanitized input split
       If input is being split and parsed based on an expected number of delimiters, it is trivial for an attacker to input an extra delimiter and, depending on the severity of the issue, execute code or engage in other mayhem.
       
   Proof of concept:
 * PHP:
   <?php
     $username = $argv[1];
     if ($username == "admin") {
       $username = $username . ":1";
     } else {
       $username = $username . ":0";
    }
    $username = split(":", $username);
    if($username[1] == "1") {
      echo "Is an admin\n";
    } else {
      echo "Not an admin\n";
    }
   ?>
   Mitigation:
   
   In order to mitigate this attack, sanitize input before splitting. Be certain that there are no malicious delimeters. For example:
   
 * PHP:
   <?php
     $username = str_replace(":", "", $argv[1]);
     if ($username == "admin") {
       $username = $username . ":1";
     } else {
       $username = $username . ":0";
    }
    $username = split(":", $username);
    if($username[1] == "1") {
      echo "Is an admin\n";
    } else {
      echo "Not an admin\n";
    }
   ?>
   
   Auditing:
Retrieved from "http://nets.ec/index.php?title=Unsanitized_input_split&oldid=10667"