Home page logo

bugtraq logo Bugtraq mailing list archives

Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory)
From: rfp () WIRETRIP NET (rain forest puppy)
Date: Tue, 8 Feb 2000 12:30:49 -0600

Just wanted to drop a few notes in regards to what some people just
brought up..

Barclay Osborn wrote:

Maybe I'm reading this wrong, but I've never been able to piggyback
commands through mysql/DBI execute()'s, regardless of newlines, and even
when I have privs:

No, you're correct.  MySQL doesn't allow it.  But the whole world does not
use MySQL.

that's good, but you need to also make sure that your grant tables are
set up correctly and you only accept from a predefined list of tables,

This deals with database-specific permissions and such.

Kelly Setzer wrote:

No exceptions. Not even if something is supposed to fail with invalid
input. Always check it. You know you don't control the client.
You may be overestimating how much control you have over your backend,
supporting software, or development environment.

Well said.

Jaanus Kase wrote:

besides, when using PHP as front end, it has the nice AddSlashes and
StripSlashes functions

What about Perl?  TCL?  C?  ASP?  CFML?

And for all the people that sent me notes saying Oracle can do
such-and-such, what about MySQL?  MS SQL?  Informix?

Point being, I'm glad various products have their different little ways of
partially helping deal with this problem.  However, you shouldn't become
dependant on a function contained within one language--you should be aware
of the general issue, and be able to combat it regardless of backend DB or
frontend language.

My advisory specifically dealt with MySQL, but it was meant to be a
general overview on unexpected input.  Unexpected input is a problem of
all worlds.  So please don't acknowledge is as not a problem if, within
your technical setup/world, it may be implicitly benign.

Read between the lines, look beyond the methods.  The issue is unexpected
user data.  Great if you are safe against the few methods I mentioned.
but there are many more where that came from.  You must be proactive in
thought and planning on the whole, not reactive only to each little method

Think 'out of the box.'

- rfp

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]