WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Serverside script injection?

From: Marco Aldegheri <marco2 () argentea it>
Date: Mon, 13 Jan 2003 14:51:58 +0100
I found an example "built to duplicate some of PHPs built in functionality" is suggested in: 
www.planet-source-code.com/vb/scripts/ShowCode.asp?lngWId=4&txtCodeId=6278
where the VarsFromForm function captures the querystring and executes some code based on it: 

Public Sub VarsFromForm
    For Each item In request.form
execute(item & "=""" & Replace(request.form(item), Chr(34), Chr(34) & Chr(34)) & """") 
    Next
    For Each item In request.QueryString
execute(item & "=""" & Replace(request.QueryString(item), Chr(34), Chr(34) & Chr(34)) & """") 
    Next
End Sub

In a 'normal' use if the page is called like:
xyz.asp?a=1&b=2
'a' and 'b' variables would be created and assigned values "1" and "2".

If this page is called with a querystring like:
xyz.asp?response.write%20Application("password"):Pippo=1
the command [response.write Application("password")] is executed and the value "1" is assigned to the variable Pippo ... 


Best regards,
Marco Aldegheri, CISSP



joh ket wrote:


Hi there.
I have a question regarding serverside script injection. Does it exist - 
is it possible?
In the past there were some vulnerabilities in serverside scripts. It was possible to execute OS-commands through URL/userinput manipulation, I assume this happened mostly with CGI and perl scripts. Was this just based on the way the variables (userinput) was used in OS commands, 
and if the 'user data' was able to break out the intended command?
I think it depends on the applicationserver software if 'serverside script injection' is possible or not (assuming the programmer/coder does not want any security). In my opinion most important is the way that the applicationserver handles variables. The possibility for variables to 
contain commands...
Is it (theoretically) possible on ASP servers to inject 'malicious' code 
into the webpage, so that it is processed on the serverside?

Is it possible on PHP or Coldfusion?
Are there any real life examples? 
(so that I can play with it in my testlab)


Thank you for all reactions!


Regards,
Previous By Date Next
Previous By Thread Next

Current thread: