[Ampache updated] packages that use deprecated SQL escape functions
On Thu, 2009-10-15 at 13:26 +1100, Steffen Joeris wrote: Hi everyone We had a few issues in the past with insufficient database escaping, which lead to possible SQL injections due to the use of the deprecated functions mysql_escape_string() and PQescapeString(). These functions do not take the encoding of the established connection into account, which can lead to insufficient escaping, if the encoding of this connection can be set to certain multibyte character encodings (such as GBK). I found the explanation given in this email[0] quite useful to elaborate on the thread. In order to prevent this issue, the new functions mysql_real_escape_string() [1] and PQescapeStringConn()[2] have been added, which honour the specific encoding of the connection. [snip] ampache: Charlie Smotherman cj...@cableone.net ./ampache-3.5.1/modules/getid3/extension.cache.mysql.php: $filenam2 = mysql_escape_string($filename); ./ampache-3.5.1/modules/getid3/extension.cache.mysql.php:$res2 = mysql_escape_string(serialize($result)); Steffen, Thanks for the mail. I have patched ampache to use mysql_real_escape_string(). I would appreciate it if someone would sponsor this fix. http://mentors.debian.net/debian/pool/main/a/ampache/ampache_3.5.1-2.dsc Thank you Charlie Smotherman signature.asc Description: This is a digitally signed message part
Re: packages that use deprecated SQL escape functions
Hi Steffen, Steffen Joeris wrote: Thanks to Kees, I have prepared a list of packages (below) that are still using the deprecated functions. Can you post a dd-list? Your list doesn't include uploaders so it's easy to miss team maintained packages. Thanks, Emilio signature.asc Description: OpenPGP digital signature
Re: packages that use deprecated SQL escape functions
Hi Dne Thu, 15 Oct 2009 13:26:14 +1100 Steffen Joeris steffen.joe...@skolelinux.de napsal(a): gammu: Michal Čihař ni...@debian.org ./gammu-1.24.0/smsd/services/pgsql.c: PQescapeString(buffer4, buffer2, strlen(buffer2)); ./gammu-1.24.0/smsd/services/pgsql.c: PQescapeString(buffer5, buffer2, strlen(buffer2)); ./gammu-1.24.0/smsd/services/pgsql.c: PQescapeString(buffer5, buffer2, strlen(buffer2)); PQescapeString is used only if PQescapeStringConn is not available in compile time, what was AFAIK the case in some older PostgreSQL versions. -- Michal Čihař | http://cihar.com | http://blog.cihar.com signature.asc Description: PGP signature
Re: packages that use deprecated SQL escape functions - dd-list
On Thu, Oct 15, 2009 at 10:27:57AM +0200, Emilio Pozuelo Monfort wrote: Thanks to Kees, I have prepared a list of packages (below) that are still using the deprecated functions. Can you post a dd-list? Your list doesn't include uploaders so it's easy to miss team maintained packages. Please find below the result of: $ egrep '^\w+:' body.txt | grep -v NOTE | cut -f 1 -d: | dd-list --stdin dd-list.txt where body.txt is the body of Steffen's mail. I just added Myon by hand because libyada is only in stable and on my sid machine dd-list didn't find it. Cheers. Carlos Eduardo Sotelo Pinto (krlos) krlos@gmail.com sitebar Marcelo Jorge Vieira (metal) me...@alucinados.com scuttle Micah Anderson mi...@debian.org dsyslog (U) Leopold Palomo Avellaneda l...@alaxarxa.net bulmages (U) Christian Bayle ba...@debian.org cvsnt (U) Romain Beauxis to...@rastageeks.org mediawiki (U) Edelhard Becker edelh...@debian.org zoph Dave Beckett daj...@debian.org redland Luciano Bello luci...@debian.org nepenthes Marcus Better mar...@better.se ser (U) Darren Blaber dmbt...@gmail.com dsyslog (U) Matt Brown ma...@debian.org phpwiki Ross Burton r...@debian.org onak (U) Luca Capello l...@pca.it clisp (U) Nuno Carvalho mestre.sm...@gmail.com parrot (U) Thadeu Lima de Souza Cascardo casca...@minaslivre.org jabberd2 (U) Pierre Chifflier pol...@debian.org libpreludedb (U) ulogd (U) wzdftpd Debian BOINC Maintainers pkg-boinc-de...@lists.alioth.debian.org boinc Debian Common Lisp Team pkg-common-lisp-de...@lists.alioth.debian.org clisp Debian GNOME Maintainers pkg-gnome-maintain...@lists.alioth.debian.org libgda3 Debian Parrot Maintainers pkg-parrot-de...@lists.alioth.debian.org parrot Debian VoIP Team pkg-voip-maintain...@lists.alioth.debian.org gnugk ser Debian XMPP Maintainers pkg-xmpp-de...@lists.alioth.debian.org jabberd2 WebCalendar Debian package development rafael-webcalen...@debian.org webcalendar Peter Eisentraut pet...@debian.org pgpool2 Raphael Enrici black...@club-internet.fr pgadmin3 Peter Van Eynde pvane...@debian.org clisp (U) Gerfried Fuchs rho...@debian.at pgadmin3 (U) spl David Moreno Garza da...@debian.org phpwiki (U) Thomas Goirand tho...@goirand.fr dtc Stephen Gran sg...@debian.org freeradius Debian QA Group packa...@qa.debian.org mnogosearch pgtcl prokyon3 sqlrelay Pascal Hakim p...@debian.org snort (U) Peter Howard p...@northern-ridge.com.au zoneminder Mark Hymers m...@debian.org freeradius (U) Matthias Klose d...@debian.org pygresql Achilleas Kotsis achi...@kotsis.net ulogd Kilian Krause kil...@debian.org gnugk (U) ser (U) Elizabeth Krumbach l...@princessleia.com webcalendar (U) Rafael Laboissiere raf...@debian.org webcalendar (U) Carlos Laviola clavi...@debian.org fpc Penny Leach pe...@mjollnir.org moodle (U) Faidon Liambotis parav...@debian.org gnugk (U) Xavier Luthi xav...@caroxav.be b2evolution pixelpost Francois Marier franc...@debian.org moodle (U) Christoph Martin christoph.mar...@uni-mainz.de boinc (U) TSUCHIYA Masatoshi tsuch...@namazu.org texfam Rene Mayorga rmayo...@debian.org boinc (U) Jonathan McDowell nood...@earth.li onak Mediawiki Maintenance Team pkg-mediawiki-de...@lists.alioth.debian.org mediawiki Martin Meredith m...@debian.org symfony Patrick Michaud pmich...@pobox.com parrot (U) Miguel Gea Milvaques xera...@debian.org bulmages (U) Loic Minier l...@dooz.org libgda3 (U) Steffen Moeller steffen_moel...@gmx.de boinc (U) Emilio Pozuelo Monfort po...@debian.org libgda3 (U) René Mérou ochominutosdea...@gmail.com bulmages Mazen Neifer ma...@freepascal.org fpc (U) Javier Fernandez-Sanguino Pen~a j...@debian.org snort Mathieu Petit-Clair m...@moodle.com moodle (U) William Pitcock neno...@dereferenced.org dsyslog Dan Poltawski talkto...@gmail.com moodle (U) Mickael Profeta prof...@debian.org libpreludedb Mark Purcell m...@debian.org gnugk (U) ser (U) Allison Randal alli...@parrot.org parrot (U) Tomeu Borràs Riera tbor...@conetxcia.com bulmages (U) Jorge Salamero Sanz ben...@debian.org jabberd2 (U) Jens Peter Secher j...@debian.org neko Charlie Smotherman cj...@cableone.net ampache Jörg Sommer jo...@alea.gnuu.de xindy Radu Spineanu r...@debian.org pvpgn Uwe Steinmann ste...@debian.org netmrg Moodle Packaging Team moodle-packag...@catalyst.net.nz moodle Fabio Tranchitella kob...@debian.org psycopg2 Andreas Tscharner a...@vis.ethz.ch cvsnt Torsten Werner twer...@debian.org fpc (U) Michal Čihař ni...@debian.org gammu rpm2html Christoph Berg m...@debian.org libyada -- Stefano Zacchiroli -o- PhD in Computer Science \ PostDoc @ Univ. Paris 7 z...@{upsilon.cc,pps.jussieu.fr,debian.org} -- http://upsilon.cc/zack/ Dietro un grande uomo c'è ..| . |. Et ne
Re: packages that use deprecated SQL escape functions
Hi Steffen, In future checks it would be easier and more accurate to look for the deprecated functions on the binary packages, because not all of the packages ship/use all of the files they include in the source package. FTR, in php 5.3 the mysql_escape_string function is marked as deprecated (and depending on the error reporting level it will warn) and in php6 it is gone. And applications using pgsql don't need any change as the pgsql extension uses PQescapeStringConn if available at compile time and if there's an active connection. Cheers, -- Raphael Geissert - Debian Developer www.debian.org - get.debian.net -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: packages that use deprecated SQL escape functions
Raphael Geissert geiss...@debian.org writes: FTR, in php 5.3 the mysql_escape_string function is marked as deprecated (and depending on the error reporting level it will warn) and in php6 it is gone. Reference, please? I'd like to know what function is recommended to replace this one. -- \ “Never use a long word when there's a commensurate diminutive | `\available.” —Stan Kelly-Bootle | _o__) | Ben Finney -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: packages that use deprecated SQL escape functions
2009-10-16, Ben Finney: Raphael Geissert geiss...@debian.org writes: FTR, in php 5.3 the mysql_escape_string function is marked as deprecated (and depending on the error reporting level it will warn) and in php6 it is gone. Reference, please? I'd like to know what function is recommended to replace this one. According to php.net [0], they recommend to use 'mysql_real_escape_string' instead [1]. Note that mysql_real_escape_string behaves a little bit different from mysql_escape_string, though. [0] http://ar2.php.net/mysql_escape_string [1] http://ar2.php.net/manual/en/function.mysql-real-escape-string.php Saludos, Mauro -- JID: lavaram...@jabber.org | http://lizaur.github.com/ 2B82 A38D 1BA5 847A A74D 6C34 6AB7 9ED6 C8FD F9C1 -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: packages that use deprecated SQL escape functions
Mauro Lizaur deb...@cacavoladora.org writes: According to php.net [0], they recommend to use 'mysql_real_escape_string' instead [1]. Note that mysql_real_escape_string behaves a little bit different from mysql_escape_string, though. [0] http://ar2.php.net/mysql_escape_string [1] http://ar2.php.net/manual/en/function.mysql-real-escape-string.php Thank you for the prompt answer. -- \ “We spend the first twelve months of our children's lives | `\ teaching them to walk and talk and the next twelve years | _o__) telling them to sit down and shut up.” —Phyllis Diller | Ben Finney -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
packages that use deprecated SQL escape functions
Hi everyone We had a few issues in the past with insufficient database escaping, which lead to possible SQL injections due to the use of the deprecated functions mysql_escape_string() and PQescapeString(). These functions do not take the encoding of the established connection into account, which can lead to insufficient escaping, if the encoding of this connection can be set to certain multibyte character encodings (such as GBK). I found the explanation given in this email[0] quite useful to elaborate on the thread. In order to prevent this issue, the new functions mysql_real_escape_string() [1] and PQescapeStringConn()[2] have been added, which honour the specific encoding of the connection. Thanks to Kees, I have prepared a list of packages (below) that are still using the deprecated functions. Apologies for all false-positives, I've tried to eliminate as many as possible. If you find your package in the list below, please have a look at the code and check, if you can change to the new functions. You are likely vulnerable to an SQL injection attack, if you only rely on the deprecated functions for escaping (or have some self-made escaping for that matter) AND if it is possible to set the client encoding. If other encodings, such as UTF-8, are used, you are not vulnerable, so check that as well, please. In the near future, I will try to do the archive scan again and file bugs with severity normal for the packages below that are still relying on the deprecated functions. (Should they be found vulnerable, the severity will be raised of course). If you are in doubt about anything or if you found that your package is vulnerable, please contact the security team (t...@security.debian.org). Cheers Steffen [0]: http://www.mail-archive.com/pgsql-hack...@postgresql.org/msg71061.html [1]: http://dev.mysql.com/doc/refman/5.0/es/mysql-real-escape-string.html [2]: http://www.postgresql.org/docs/8.4/static/libpq-exec.html ampache: Charlie Smotherman cj...@cableone.net ./ampache-3.5.1/modules/getid3/extension.cache.mysql.php:$filenam2 = mysql_escape_string($filename); ./ampache-3.5.1/modules/getid3/extension.cache.mysql.php:$res2 = mysql_escape_string(serialize($result)); asterisk-addons: Debian VoIP Team pkg-voip- maintain...@lists.alioth.debian.org ./asterisk-addons-1.4.7/cdr/cdr_addon_mysql.c: mysql_escape_string(clid, cdr-clid, strlen(cdr-clid)); ./asterisk-addons-1.4.7/cdr/cdr_addon_mysql.c: mysql_escape_string(dcontext, cdr-dcontext, strlen(cdr-dcontext)); ./asterisk-addons-1.4.7/cdr/cdr_addon_mysql.c: mysql_escape_string(channel, cdr-channel, strlen(cdr-channel)); ./asterisk-addons-1.4.7/cdr/cdr_addon_mysql.c: mysql_escape_string(dstchannel, cdr-dstchannel, strlen(cdr-dstchannel)); ./asterisk-addons-1.4.7/cdr/cdr_addon_mysql.c: mysql_escape_string(lastapp, cdr-lastapp, strlen(cdr-lastapp)); ./asterisk-addons-1.4.7/cdr/cdr_addon_mysql.c: mysql_escape_string(lastdata, cdr-lastdata, strlen(cdr-lastdata)); ./asterisk-addons-1.4.7/cdr/cdr_addon_mysql.c: mysql_escape_string(src, cdr-src, strlen(cdr-src)); ./asterisk-addons-1.4.7/cdr/cdr_addon_mysql.c: mysql_escape_string(dst, cdr-dst, strlen(cdr-dst)); ./asterisk-addons-1.4.7/cdr/cdr_addon_mysql.c: mysql_escape_string(accountcode, cdr-accountcode, strlen(cdr-accountcode)); ./asterisk-addons-1.4.7/cdr/cdr_addon_mysql.c: mysql_escape_string(uniqueid, cdr-uniqueid, strlen(cdr-uniqueid)); ./asterisk-addons-1.4.7/cdr/cdr_addon_mysql.c: mysql_escape_string(userfielddata, cdr-userfield, strlen(cdr-userfield)); b2evolution: Xavier Luthi xav...@caroxav.be ./b2evolution-2.4.7/blogs/inc/_core/model/db/_db.class.php:return mysql_escape_string( $unescaped_string ); boinc: Debian BOINC Maintainers pkg-boinc-de...@lists.alioth.debian.org ./boinc-6.4.5+dfsg/html/ops/bbcode_convert_signature.php:$query = update forum_preferences set signature = '.mysql_escape_string($text).' where userid=.$forum_preferences-userid; ./boinc-6.4.5+dfsg/html/ops/bbcode_convert.php:$query = update post set content = '.mysql_escape_string($text).' where id=.$post-id; ./boinc-6.4.5+dfsg/html/ops/bbcode_convert_response2.php:$query = update profile set response2 = '.mysql_escape_string($text).' where userid=.$profile-userid; ./boinc-6.4.5+dfsg/html/ops/bbcode_convert_response1.php:$query = update profile set response1 = '.mysql_escape_string($text).' where userid=.$profile-userid;
Re: packages that use deprecated SQL escape functions
Le Thu, Oct 15, 2009 at 01:26:14PM +1100, Steffen Joeris a écrit : In the near future, I will try to do the archive scan again and file bugs with severity normal for the packages below that are still relying on the deprecated functions. (Should they be found vulnerable, the severity will be raised of course). Dear Steffen, shouldn’t the upstream maintainer(s) be warned before the security issue is advertised in public? Have a nice day, -- Charles Plessy Debian Med packaging team, http://www.debian.org/devel/debian-med Tsurumi, Kanagawa, Japan -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Re: packages that use deprecated SQL escape functions
Hi Charles On Thu, 15 Oct 2009 01:50:35 pm Charles Plessy wrote: Le Thu, Oct 15, 2009 at 01:26:14PM +1100, Steffen Joeris a écrit : In the near future, I will try to do the archive scan again and file bugs with severity normal for the packages below that are still relying on the deprecated functions. (Should they be found vulnerable, the severity will be raised of course). Dear Steffen, shouldn’t the upstream maintainer(s) be warned before the security issue is advertised in public? Before I sent the list, I checked some of the major packages together with the maintainers, so there was some work that happened in the background before publication. Also, I don't expect many of the packages below to be vulnerable, because not every applications allows the setting of the client encoding. Also, I've released a few DSAs to update common bindings in different languages that only offered the deprecated functions. At this stage, it is better to publish this list and ask the maintainers for help, because we don't have the manpower to check them all individually and test them. Cheers Steffen signature.asc Description: This is a digitally signed message part.