Bugtraq mailing list archives
Re: Multiple CGI Flat File Database Manipulation Vulnerability - qDefense Advisory Number QDAV-2001-7-1
From: Ben Wheeler <b.wheeler () ulcc ac uk>
Date: Thu, 12 Jul 2001 16:41:17 +0100
On Wed, Jul 11, 2001 at 10:03:40PM -0400, qDefense Advisories wrote:
qDefense Advisory Number QDAV-2001-7-1 Product: Numerous CGI's Vendor: Numerous Vendors
This is probably the vaguest advisory I've ever seen. They might as well release an advisory which just says "some CGI authors are idiots" for all the useful information they've included. Worse than that, though, their so-called solution is nothing of the sort:
Solution: Ideally, SQL databases should be used instead of flat file databases.
The root of the problem is inadequate checking and quoting of user-supplied input. If a programmer fails to do this then -- quite apart from the fact that their CGI is probably open to a whole host of attacks including cross-site scripting -- moving to an SQL database backend will solve NOTHING. If anything it will make the problem worse, because it may be possible to run arbitrary SQL commands from unquoted user input containing a semicolon. The potential for damage is magnified. The correct solution (to this and indeed the vast majority of all CGI security holes) is to always quote/escape/clean/check all input from untrusted sources, preferably using a whitelist of acceptable characters rather than a blacklist of unacceptable ones which you might miss crucial stuff out of, and being extra careful when quoting to ensure that you correctly escape the quote character itself. Checking and quoting should be applied -after- decoding any %-encoded characters and doing any other necessary translations. Anyone who wants to write secure CGIs should also use taint checking, where available (eg in perl), as a matter of course. It won't catch every time you're being an idiot, but it certainly helps you to get into more secure programming habits. -- Ben/Jammin Wheeler <b.wheeler () ulcc ac uk>
Current thread:
- Multiple CGI Flat File Database Manipulation Vulnerability - qDefense Advisory Number QDAV-2001-7-1 qDefense Advisories (Jul 12)
- Re: Multiple CGI Flat File Database Manipulation Vulnerability - qDefense Advisory Number QDAV-2001-7-1 3EV Ltd (Jul 15)
- Re: Multiple CGI Flat File Database Manipulation Vulnerability - qDefense Advisory Number QDAV-2001-7-1 Ben Wheeler (Jul 15)