Re: Multiple CGI Flat File Database Manipulation Vulnerability - qDefense Advisory Number QDAV-2001-7-1

[Ben Wheeler <b.wheeler () ulcc ac uk>]

On Wed, Jul 11, 2001 at 10:03:40PM -0400, qDefense Advisories wrote:
> qDefense Advisory Number QDAV-2001-7-1
> Product: Numerous CGI's
> Vendor: Numerous Vendors

This is probably the vaguest advisory I've ever seen. They might as well
release an advisory which just says "some CGI authors are idiots"
for all the useful information they've included.

Worse than that, though, their so-called solution is nothing of the sort:

> Solution:
> Ideally, SQL databases should be used instead of flat file databases. 

The root of the problem is inadequate checking and quoting of user-supplied
input. If a programmer fails to do this then -- quite apart from the fact 
that their CGI is probably open to a whole host of attacks including 
cross-site scripting -- moving to an SQL database backend will solve NOTHING. 
If anything it will make the problem worse, because it may be possible 
to run arbitrary SQL commands from unquoted user input containing 
a semicolon. The potential for damage is magnified.

The correct solution (to this and indeed the vast majority of all CGI
security holes) is to always quote/escape/clean/check all input
from untrusted sources, preferably using a whitelist of acceptable
characters rather than a blacklist of unacceptable ones which you might
miss crucial stuff out of, and being extra careful when quoting to
ensure that you correctly escape the quote character itself.

Checking and quoting should be applied -after- decoding any
%-encoded characters and doing any other necessary translations.

Anyone who wants to write secure CGIs should also use taint checking,
where available (eg in perl), as a matter of course. It won't catch
every time you're being an idiot, but it certainly helps you to get
into more secure programming habits.

-- 
Ben/Jammin Wheeler  <b.wheeler () ulcc ac uk>