OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Tony Welsh (listsevolvedcode.net)
Date: Thu Jan 17 2002 - 14:14:18 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    One thing that was not mentioned (albeit it is solved by the parsing section
    of the solution) is sql injection. Not sure if this is of use - I'd
    consider it as "one-dimensional" as the SSI scenario so I thought I'd
    suggest it.

    For any comprehensive tracking / statistics purposes you will quickly find
    yourself using a database - mostly as it will scale much better under load,
    but also because it allows fast real-time analysis for all the data gathered
    (which adds $$$ as a selling point of a package I'd imagine).

    Why does this present a problem?

    If the most efficient route to get that data stored is to directly input it
    into the database that is the route you would expect the component to take -
    it introduces the minimum delay in the storage process and therefore gives
    faster performance.

    Now assuming the procedure it used to store the data did not modify the
    headers at all, it would be trivial to modify those headers to insert your
    own sql commands - at this point whatever level of database access the
    component has, the attacker now has.

    As a minimum it would allow them to stop their own actions appearing here
    (since deformed inserts will not commit) as well as making their own inserts
    (since the component needed to in order to store data), if there were weak
    permissions (or no permissions( the possibilities are endless.

    Regards - Tony

    - -----Original Message-----
    From: zeno [mailto:bugtraqcgisecurity.net]
    Sent: 16 January 2002 16:06
    To: webappsecsecurityfocus.com
    Subject: Header paper/Web Stats software

    Hello,

    I have a question. I'm writing a paper on header manipulation on web
    statistics
    software involving injection of html, ssi, javascript, vbscript,etc.. I've
    managed
    to find examples of all of the above. I have not found any php examples
    though. I'm
    not a php coder so I have a few questions.

    First read this UNFINISHED PAPER/UNEDITED.
    http://www.cgisecurity.net/papers/header-based-exploitation.txt
    (Probably riddled with errors so don't flame me horribly)

    Then is it possible to insert php commands? I wrote in the paper it was
    based
    off of theory but theory doesn't always cut the cheese. This isn't going
    to be published until I correct the errors. Also would tcl,python, xml,
    other
    have this same issue?

    Thanks

    - - zenomorph

    PS: be nice :)

    .

    -----BEGIN PGP SIGNATURE-----
    Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>
    Comment: http://evolvedcode.net/

    iQA/AwUBPEcwlq0tBy4nR959EQJysACfW7hyl+I0LPeye0Ce0GvS00UjTowAoPJ2
    QmmSLBt58ZHxZBjD+lAdWHMG
    =PWSs
    -----END PGP SIGNATURE-----