[Ampache updated] packages that use deprecated SQL escape functions
On Thu, 2009-10-15 at 13:26 +1100, Steffen Joeris wrote: Hi everyone We had a few issues in the past with insufficient database escaping, which lead to possible SQL injections due to the use of the deprecated functions mysql_escape_string() and PQescapeString(). These functions do not take the encoding of the established connection into account, which can lead to insufficient escaping, if the encoding of this connection can be set to certain multibyte character encodings (such as GBK). I found the explanation given in this email[0] quite useful to elaborate on the thread. In order to prevent this issue, the new functions mysql_real_escape_string() [1] and PQescapeStringConn()[2] have been added, which honour the specific encoding of the connection. [snip] ampache: Charlie Smotherman cj...@cableone.net ./ampache-3.5.1/modules/getid3/extension.cache.mysql.php: $filenam2 = mysql_escape_string($filename); ./ampache-3.5.1/modules/getid3/extension.cache.mysql.php:$res2 = mysql_escape_string(serialize($result)); Steffen, Thanks for the mail. I have patched ampache to use mysql_real_escape_string(). I would appreciate it if someone would sponsor this fix. http://mentors.debian.net/debian/pool/main/a/ampache/ampache_3.5.1-2.dsc Thank you Charlie Smotherman signature.asc Description: This is a digitally signed message part
Re: packages that use deprecated SQL escape functions
Hi Steffen, Steffen Joeris wrote: Thanks to Kees, I have prepared a list of packages (below) that are still using the deprecated functions. Can you post a dd-list? Your list doesn't include uploaders so it's easy to miss team maintained packages. Thanks, Emilio signature.asc Description: OpenPGP digital signature
Re: packages that use deprecated SQL escape functions
Hi Dne Thu, 15 Oct 2009 13:26:14 +1100 Steffen Joeris steffen.joe...@skolelinux.de napsal(a): gammu: Michal Čihař ni...@debian.org ./gammu-1.24.0/smsd/services/pgsql.c: PQescapeString(buffer4, buffer2, strlen(buffer2)); ./gammu-1.24.0/smsd/services/pgsql.c: PQescapeString(buffer5, buffer2, strlen(buffer2)); ./gammu-1.24.0/smsd/services/pgsql.c: PQescapeString(buffer5, buffer2, strlen(buffer2)); PQescapeString is used only if PQescapeStringConn is not available in compile time, what was AFAIK the case in some older PostgreSQL versions. -- Michal Čihař | http://cihar.com | http://blog.cihar.com signature.asc Description: PGP signature
Re: packages that use deprecated SQL escape functions - dd-list
On Thu, Oct 15, 2009 at 10:27:57AM +0200, Emilio Pozuelo Monfort wrote:
Thanks to Kees, I have prepared a list of packages (below) that are still
using the deprecated functions.
Can you post a dd-list? Your list doesn't include uploaders so it's easy to
miss
team maintained packages.
Please find below the result of:
$ egrep '^\w+:' body.txt | grep -v NOTE | cut -f 1 -d: | dd-list --stdin
dd-list.txt
where body.txt is the body of Steffen's mail. I just added Myon by hand
because libyada is only in stable and on my sid machine dd-list didn't
find it.
Cheers.
Carlos Eduardo Sotelo Pinto (krlos) krlos@gmail.com
sitebar
Marcelo Jorge Vieira (metal) me...@alucinados.com
scuttle
Micah Anderson mi...@debian.org
dsyslog (U)
Leopold Palomo Avellaneda l...@alaxarxa.net
bulmages (U)
Christian Bayle ba...@debian.org
cvsnt (U)
Romain Beauxis to...@rastageeks.org
mediawiki (U)
Edelhard Becker edelh...@debian.org
zoph
Dave Beckett daj...@debian.org
redland
Luciano Bello luci...@debian.org
nepenthes
Marcus Better mar...@better.se
ser (U)
Darren Blaber dmbt...@gmail.com
dsyslog (U)
Matt Brown ma...@debian.org
phpwiki
Ross Burton r...@debian.org
onak (U)
Luca Capello l...@pca.it
clisp (U)
Nuno Carvalho mestre.sm...@gmail.com
parrot (U)
Thadeu Lima de Souza Cascardo casca...@minaslivre.org
jabberd2 (U)
Pierre Chifflier pol...@debian.org
libpreludedb (U)
ulogd (U)
wzdftpd
Debian BOINC Maintainers pkg-boinc-de...@lists.alioth.debian.org
boinc
Debian Common Lisp Team pkg-common-lisp-de...@lists.alioth.debian.org
clisp
Debian GNOME Maintainers pkg-gnome-maintain...@lists.alioth.debian.org
libgda3
Debian Parrot Maintainers pkg-parrot-de...@lists.alioth.debian.org
parrot
Debian VoIP Team pkg-voip-maintain...@lists.alioth.debian.org
gnugk
ser
Debian XMPP Maintainers pkg-xmpp-de...@lists.alioth.debian.org
jabberd2
WebCalendar Debian package development rafael-webcalen...@debian.org
webcalendar
Peter Eisentraut pet...@debian.org
pgpool2
Raphael Enrici black...@club-internet.fr
pgadmin3
Peter Van Eynde pvane...@debian.org
clisp (U)
Gerfried Fuchs rho...@debian.at
pgadmin3 (U)
spl
David Moreno Garza da...@debian.org
phpwiki (U)
Thomas Goirand tho...@goirand.fr
dtc
Stephen Gran sg...@debian.org
freeradius
Debian QA Group packa...@qa.debian.org
mnogosearch
pgtcl
prokyon3
sqlrelay
Pascal Hakim p...@debian.org
snort (U)
Peter Howard p...@northern-ridge.com.au
zoneminder
Mark Hymers m...@debian.org
freeradius (U)
Matthias Klose d...@debian.org
pygresql
Achilleas Kotsis achi...@kotsis.net
ulogd
Kilian Krause kil...@debian.org
gnugk (U)
ser (U)
Elizabeth Krumbach l...@princessleia.com
webcalendar (U)
Rafael Laboissiere raf...@debian.org
webcalendar (U)
Carlos Laviola clavi...@debian.org
fpc
Penny Leach pe...@mjollnir.org
moodle (U)
Faidon Liambotis parav...@debian.org
gnugk (U)
Xavier Luthi xav...@caroxav.be
b2evolution
pixelpost
Francois Marier franc...@debian.org
moodle (U)
Christoph Martin christoph.mar...@uni-mainz.de
boinc (U)
TSUCHIYA Masatoshi tsuch...@namazu.org
texfam
Rene Mayorga rmayo...@debian.org
boinc (U)
Jonathan McDowell nood...@earth.li
onak
Mediawiki Maintenance Team pkg-mediawiki-de...@lists.alioth.debian.org
mediawiki
Martin Meredith m...@debian.org
symfony
Patrick Michaud pmich...@pobox.com
parrot (U)
Miguel Gea Milvaques xera...@debian.org
bulmages (U)
Loic Minier l...@dooz.org
libgda3 (U)
Steffen Moeller steffen_moel...@gmx.de
boinc (U)
Emilio Pozuelo Monfort po...@debian.org
libgda3 (U)
René Mérou ochominutosdea...@gmail.com
bulmages
Mazen Neifer ma...@freepascal.org
fpc (U)
Javier Fernandez-Sanguino Pen~a j...@debian.org
snort
Mathieu Petit-Clair m...@moodle.com
moodle (U)
William Pitcock neno...@dereferenced.org
dsyslog
Dan Poltawski talkto...@gmail.com
moodle (U)
Mickael Profeta prof...@debian.org
libpreludedb
Mark Purcell m...@debian.org
gnugk (U)
ser (U)
Allison Randal alli...@parrot.org
parrot (U)
Tomeu Borràs Riera tbor...@conetxcia.com
bulmages (U)
Jorge Salamero Sanz ben...@debian.org
jabberd2 (U)
Jens Peter Secher j...@debian.org
neko
Charlie Smotherman cj...@cableone.net
ampache
Jörg Sommer jo...@alea.gnuu.de
xindy
Radu Spineanu r...@debian.org
pvpgn
Uwe Steinmann ste...@debian.org
netmrg
Moodle Packaging Team moodle-packag...@catalyst.net.nz
moodle
Fabio Tranchitella kob...@debian.org
psycopg2
Andreas Tscharner a...@vis.ethz.ch
cvsnt
Torsten Werner twer...@debian.org
fpc (U)
Michal Čihař ni...@debian.org
gammu
rpm2html
Christoph Berg m...@debian.org
libyada
--
Stefano Zacchiroli -o- PhD in Computer Science \ PostDoc @ Univ. Paris 7
z...@{upsilon.cc,pps.jussieu.fr,debian.org} -- http://upsilon.cc/zack/
Dietro un grande uomo c'è ..| . |. Et ne
Re: packages that use deprecated SQL escape functions
Hi Steffen, In future checks it would be easier and more accurate to look for the deprecated functions on the binary packages, because not all of the packages ship/use all of the files they include in the source package. FTR, in php 5.3 the mysql_escape_string function is marked as deprecated (and depending on the error reporting level it will warn) and in php6 it is gone. And applications using pgsql don't need any change as the pgsql extension uses PQescapeStringConn if available at compile time and if there's an active connection. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: packages that use deprecated SQL escape functions
Raphael Geissert geiss...@debian.org writes: FTR, in php 5.3 the mysql_escape_string function is marked as deprecated (and depending on the error reporting level it will warn) and in php6 it is gone. Reference, please? I'd like to know what function is recommended to replace this one. -- \ “Never use a long word when there's a commensurate diminutive | `\available.” —Stan Kelly-Bootle | _o__) | Ben Finney -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: packages that use deprecated SQL escape functions
2009-10-16, Ben Finney: Raphael Geissert geiss...@debian.org writes: FTR, in php 5.3 the mysql_escape_string function is marked as deprecated (and depending on the error reporting level it will warn) and in php6 it is gone. Reference, please? I'd like to know what function is recommended to replace this one. According to php.net [0], they recommend to use 'mysql_real_escape_string' instead [1]. Note that mysql_real_escape_string behaves a little bit different from mysql_escape_string, though. [0] http://ar2.php.net/mysql_escape_string [1] http://ar2.php.net/manual/en/function.mysql-real-escape-string.php Saludos, Mauro -- JID: lavaram...@jabber.org | http://lizaur.github.com/ 2B82 A38D 1BA5 847A A74D 6C34 6AB7 9ED6 C8FD F9C1 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: packages that use deprecated SQL escape functions
Mauro Lizaur deb...@cacavoladora.org writes: According to php.net [0], they recommend to use 'mysql_real_escape_string' instead [1]. Note that mysql_real_escape_string behaves a little bit different from mysql_escape_string, though. [0] http://ar2.php.net/mysql_escape_string [1] http://ar2.php.net/manual/en/function.mysql-real-escape-string.php Thank you for the prompt answer. -- \ “We spend the first twelve months of our children's lives | `\ teaching them to walk and talk and the next twelve years | _o__) telling them to sit down and shut up.” —Phyllis Diller | Ben Finney -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
packages that use deprecated SQL escape functions
Hi everyone We had a few issues in the past with insufficient database escaping, which lead to possible SQL injections due to the use of the deprecated functions mysql_escape_string() and PQescapeString(). These functions do not take the encoding of the established connection into account, which can lead to insufficient escaping, if the encoding of this connection can be set to certain multibyte character encodings (such as GBK). I found the explanation given in this email[0] quite useful to elaborate on the thread. In order to prevent this issue, the new functions mysql_real_escape_string() [1] and PQescapeStringConn()[2] have been added, which honour the specific encoding of the connection. Thanks to Kees, I have prepared a list of packages (below) that are still using the deprecated functions. Apologies for all false-positives, I've tried to eliminate as many as possible. If you find your package in the list below, please have a look at the code and check, if you can change to the new functions. You are likely vulnerable to an SQL injection attack, if you only rely on the deprecated functions for escaping (or have some self-made escaping for that matter) AND if it is possible to set the client encoding. If other encodings, such as UTF-8, are used, you are not vulnerable, so check that as well, please. In the near future, I will try to do the archive scan again and file bugs with severity normal for the packages below that are still relying on the deprecated functions. (Should they be found vulnerable, the severity will be raised of course). If you are in doubt about anything or if you found that your package is vulnerable, please contact the security team (t...@security.debian.org). Cheers Steffen [0]: http://www.mail-archive.com/pgsql-hack...@postgresql.org/msg71061.html [1]: http://dev.mysql.com/doc/refman/5.0/es/mysql-real-escape-string.html [2]: http://www.postgresql.org/docs/8.4/static/libpq-exec.html ampache: Charlie Smotherman cj...@cableone.net ./ampache-3.5.1/modules/getid3/extension.cache.mysql.php:$filenam2 = mysql_escape_string($filename); ./ampache-3.5.1/modules/getid3/extension.cache.mysql.php:$res2 = mysql_escape_string(serialize($result)); asterisk-addons: Debian VoIP Team pkg-voip- maintain...@lists.alioth.debian.org ./asterisk-addons-1.4.7/cdr/cdr_addon_mysql.c: mysql_escape_string(clid, cdr-clid, strlen(cdr-clid)); ./asterisk-addons-1.4.7/cdr/cdr_addon_mysql.c: mysql_escape_string(dcontext, cdr-dcontext, strlen(cdr-dcontext)); ./asterisk-addons-1.4.7/cdr/cdr_addon_mysql.c: mysql_escape_string(channel, cdr-channel, strlen(cdr-channel)); ./asterisk-addons-1.4.7/cdr/cdr_addon_mysql.c: mysql_escape_string(dstchannel, cdr-dstchannel, strlen(cdr-dstchannel)); ./asterisk-addons-1.4.7/cdr/cdr_addon_mysql.c: mysql_escape_string(lastapp, cdr-lastapp, strlen(cdr-lastapp)); ./asterisk-addons-1.4.7/cdr/cdr_addon_mysql.c: mysql_escape_string(lastdata, cdr-lastdata, strlen(cdr-lastdata)); ./asterisk-addons-1.4.7/cdr/cdr_addon_mysql.c: mysql_escape_string(src, cdr-src, strlen(cdr-src)); ./asterisk-addons-1.4.7/cdr/cdr_addon_mysql.c: mysql_escape_string(dst, cdr-dst, strlen(cdr-dst)); ./asterisk-addons-1.4.7/cdr/cdr_addon_mysql.c: mysql_escape_string(accountcode, cdr-accountcode, strlen(cdr-accountcode)); ./asterisk-addons-1.4.7/cdr/cdr_addon_mysql.c: mysql_escape_string(uniqueid, cdr-uniqueid, strlen(cdr-uniqueid)); ./asterisk-addons-1.4.7/cdr/cdr_addon_mysql.c: mysql_escape_string(userfielddata, cdr-userfield, strlen(cdr-userfield)); b2evolution: Xavier Luthi xav...@caroxav.be ./b2evolution-2.4.7/blogs/inc/_core/model/db/_db.class.php:return mysql_escape_string( $unescaped_string ); boinc: Debian BOINC Maintainers pkg-boinc-de...@lists.alioth.debian.org ./boinc-6.4.5+dfsg/html/ops/bbcode_convert_signature.php:$query = update forum_preferences set signature = '.mysql_escape_string($text).' where userid=.$forum_preferences-userid; ./boinc-6.4.5+dfsg/html/ops/bbcode_convert.php:$query = update post set content = '.mysql_escape_string($text).' where id=.$post-id; ./boinc-6.4.5+dfsg/html/ops/bbcode_convert_response2.php:$query = update profile set response2 = '.mysql_escape_string($text).' where userid=.$profile-userid; ./boinc-6.4.5+dfsg/html/ops/bbcode_convert_response1.php:$query = update profile set response1 = '.mysql_escape_string($text).' where userid=.$profile-userid;
Re: packages that use deprecated SQL escape functions
Le Thu, Oct 15, 2009 at 01:26:14PM +1100, Steffen Joeris a écrit : In the near future, I will try to do the archive scan again and file bugs with severity normal for the packages below that are still relying on the deprecated functions. (Should they be found vulnerable, the severity will be raised of course). Dear Steffen, shouldn’t the upstream maintainer(s) be warned before the security issue is advertised in public? Have a nice day, -- Charles Plessy Debian Med packaging team, http://www.debian.org/devel/debian-med Tsurumi, Kanagawa, Japan -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: packages that use deprecated SQL escape functions
Hi Charles On Thu, 15 Oct 2009 01:50:35 pm Charles Plessy wrote: Le Thu, Oct 15, 2009 at 01:26:14PM +1100, Steffen Joeris a écrit : In the near future, I will try to do the archive scan again and file bugs with severity normal for the packages below that are still relying on the deprecated functions. (Should they be found vulnerable, the severity will be raised of course). Dear Steffen, shouldn’t the upstream maintainer(s) be warned before the security issue is advertised in public? Before I sent the list, I checked some of the major packages together with the maintainers, so there was some work that happened in the background before publication. Also, I don't expect many of the packages below to be vulnerable, because not every applications allows the setting of the client encoding. Also, I've released a few DSAs to update common bindings in different languages that only offered the deprecated functions. At this stage, it is better to publish this list and ask the maintainers for help, because we don't have the manpower to check them all individually and test them. Cheers Steffen signature.asc Description: This is a digitally signed message part.
