Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



WebApp Sec: Re: Serverside script injection?

Re: Serverside script injection?

From: JAMES J FERRARA <jferr007_at_odu.edu>
Date: Mon, 13 Jan 2003 03:41:32 -0500

At the base of this, I believe, is the principle that 100% of user input
must go through a parsing process.

For PHP, this means addslashes(), especially for something that goes into
mySQL or any other SQL statement.

I once saw a nslookup tool that took user input in the form of an IP
address or a hostname as $input and ran the command system("nslookup
$input"); or somesuch; without filtering, we can see the drastic effects
this could have (ns.php?input=127.0.0.1%20&&%20rm%20/%20-rf).

-James Ferrara
SIG: Looking for an internship in the Wash DC area.

>To:joh ket <johket_at_hotmail.com>
>cc:webappsec_at_securityfocus.com
>bcc:
>Subject:Re: Serverside script injection?
>From: Peter Conrad <conrad_at_tivano.de>
>
>Date: 01/13/2003 09:12 AM CET
>
>Hi,
>
>On Fri, Jan 10, 2003 at 09:05:31AM -0000, joh ket wrote:
>>
>> I have a question regarding serverside script injection. Does it exist -
>> is it possible?
>
>Depending on how you'd define "serverside script injection" the answer
>would usually be "yes". :-)
>
>> In the past there were some vulnerabilities in serverside scripts. It
was
>> possible to execute OS-commands through URL/userinput manipulation,
>> I assume this happened mostly with CGI and perl scripts. Was this just
>> based on the way the variables (userinput) was used in OS commands,
>> and if the 'user data' was able to break out the intended command?
>
>That was (is?) a quite common problem, but probably not the only one.
>
>> I think it depends on the applicationserver software if 'serverside
script
>> injection' is possible or not (assuming the programmer/coder does not
want
>> any security).
>
>No! The programmer of a web application *must* be aware of the security
>implications of his programs. Otherwise I think it is possible in *any*
>application server (that allows turing-complete programming) to write a
>program that can be exploited. It is true that some application servers
>make this easier than others.
>
>> Is it (theoretically) possible on ASP servers to inject 'malicious' code
>> into the webpage, so that it is processed on the serverside?
>> Is it possible on PHP or Coldfusion?
>
>I remember a posting (probably on bugtraq) a couple of days ago, where
>some user data was being written to a file, and the username was used as
>the filename. So if your username was "someone.php" and you requested that
>file via HTTP the server would parse it as a PHP page - executing any
>commands you had embedded in your "user data". That kind of thing would
>work on an ASP or JSP server as well.
>
>Bye,
>Peter
>--
>Peter Conrad Tel: +49 6102 / 80 99 072
>[ t]ivano Software GmbH Fax: +49 6102 / 80 99 071
>Bahnhofstr. 18
>63263 Neu-Isenburg
>
>Germany
Received on Jan 13 2003

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos