Re: Multiple CGI Flat File Database Manipulation Vulnerability - qDefense Advisory Number QDAV-2001-7-1

[3EV Ltd <info () 3ev com>]

At 22:03 11/07/01 -0400, you wrote:
> Product: Numerous CGI's
[snip]
> Cause: Failure to validate input

The pipe character is often used as a delimiter in flatfile databases, sure, but there are many more reasons for 
filtering pipe's out of user input!

This really is as old as the hills.
The example given is relatively minor compared to more sophisticated techniques, and is hardly worth an adivsory all to 
itself IMHO.  *If you are not sanitising user input you should not be writing CGI scripts.*

> Solution:
> Ideally, SQL databases should be used instead of flat file databases.

Hardly.  Whilst you may prevent this specific method, by using an SQL implimentation you open up a whole new can of 
worms, where ' and " can be used for similar tricks, which is more likely to be required in user data than a 
comparitively uncommon pipe.  (See the 'MySQL Reference Manual' Chapters 6.1 & 6.2.)  If you still aren't sanitising 
properly, using SQL (or anything else for that matter) is just as dangerous!

I'd advise sanitising input properly in the first place, regardless of back-end:
http://www.cert.org/tech_tips/cgi_metacharacters.html

More issues to be aware of (from rfp):
http://www.wiretrip.net/rfp/p/doc.asp?id=6&iface=2

... or see Phrack issue 55.

Jon Whitlock.