[21495] in bugtraq
Re: Multiple CGI Flat File Database Manipulation Vulnerability
daemon@ATHENA.MIT.EDU (3EV Ltd)
Sun Jul 15 23:56:00 2001
Message-Id: <3.0.6.32.20010712124322.0086c100@pop3.inweb.co.uk>
Date: Thu, 12 Jul 2001 12:43:22 +0100
To: bugtraq@securityfocus.com
From: 3EV Ltd <info@3ev.com>
In-Reply-To: <4.3.2.7.2.20010711215403.00afd9b0@compumodel.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
At 22:03 11/07/01 -0400, you wrote:
>Product: Numerous CGI's
[snip]
>Cause: Failure to validate input
The pipe character is often used as a delimiter in flatfile databases, sure, but there are many more reasons for filtering pipe's out of user input!
This really is as old as the hills.
The example given is relatively minor compared to more sophisticated techniques, and is hardly worth an adivsory all to itself IMHO. *If you are not sanitising user input you should not be writing CGI scripts.*
>Solution:
>Ideally, SQL databases should be used instead of flat file databases.
Hardly. Whilst you may prevent this specific method, by using an SQL implimentation you open up a whole new can of worms, where ' and " can be used for similar tricks, which is more likely to be required in user data than a comparitively uncommon pipe. (See the 'MySQL Reference Manual' Chapters 6.1 & 6.2.) If you still aren't sanitising properly, using SQL (or anything else for that matter) is just as dangerous!
I'd advise sanitising input properly in the first place, regardless of back-end:
http://www.cert.org/tech_tips/cgi_metacharacters.html
More issues to be aware of (from rfp):
http://www.wiretrip.net/rfp/p/doc.asp?id=6&iface=2
... or see Phrack issue 55.
Jon Whitlock.
