At 11:18 AM 04-03-2001 -0500, Franklin DeMatto wrote:
>My question for the list is as follows: What did I miss? Most of the real
>damage in my list can be eliminated with just a few lines of extra code -
>the major problem being that most CGI programmers don't know/care. But I'm
>sure there are some other problems, harder to exploit but harder for the
>programmer to avoid as well, that are out there. Anyone . . . ?

There are usually more ways to do things wrong than right, so having a
comprehensive list is going to be rather difficult. I suppose you're
looking for the popular ways of doing things wrong/insecurely?

Passing stuff straight to a database engine without quoting it, without
length checking or validation. Often you can just stick a ' into various
parameters and watch for signs. Often default database interface quote
functions don't quote out % or _ or whatever symbols which have special
meaning in LIKE queries, so you have to do those yourselves.

Also if your app allows display of arbitrary html data from 3rd party
sources, attackers can often get other users of your app to do undesirable
stuff.

Sending arbitrary stuff to error logs can cause problems sometimes. There
may be problems with syslog, or the stuff used to view the logs. So
stripping and truncating stuff a bit might be a good idea, but you could
lose vital info.

Also a lot of it is to do with not thinking clearly. Control of server
reality should only be given to the server. Users should not be able to
redefine reality, only suggest changes. There are cases where just changing
a cgi parameter gives you access that you should not have - e.g. set
userid=someotheruser, or chequenum=otherpersonschequenum (yeah both of
these actually happened :) ).

Then there's unicode and multibyte support. I haven't figured out how to
support it safely - any suggestions are welcome.

So many ways of screwing up :).

Cheerio,
Link.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]