>
>Here's a simple idea for a fix; is this too expensive/clumsy? Note: not
>a patch or a diff yet, just seeking feedback...
Well, for security, you probably want to do things the other way around:
rather than seeking out potentially bad characters, do the opposite and
just let through the "good" characters (a-zA-Z0-9, and properly escape
punctuation). The reason is that there's other characters such as NULLs and
other ASCII values that normal users will never input, but may cause SQL
interpreters to behave in strange (and possibly insecure) ways. You also
don't want to delete characters like ' and ", since they may be perfectly
valid as search parameters. They need to be escaped. A good example of how
to properly escape for a given database is in the Perl DBI modules and DBD
drivers (the DBI quote method). In fact, this work should probably be done
by the JDBC driver in the first place:
java.sql.SQLException: ...
at org.gjt.mm.mysql.Connection.execSQL(Connection.java:807)
at org.gjt.mm.mysql.Connection.execSQL(Connection.java:740)
at org.gjt.mm.mysql.Statement.executeQuery(Statement.java:159)
at com.workingdogs.village.QueryDataSet.(QueryDataSet.java:112)
Since the error is in the java.sql.SQLException module, and it's using the
"village" SQL module by workingdogs, perhaps this modules fails to use the
java.sql.statement->setEscapeProcessing method? That may more easily solve
all the problems.
> private String removeChars(String s)
> {
> /**
> *Remove punctuation, regexp chars, etc. from the string.
> */
> char[] REMOVE_CHAR = { '!' , '#' , '$' , '%' , '&' , '\'' ,
> '(' , ')' , '*' , '+' , ',' ,
> '-' , '.' , '/' , ':' , ';' , '<' ,
> '=' , '.' , '?' , '@' , '[' , '\\' ,
> ']' , '^' , '_' , '`' , '{' , '|' ,
> '}' , '~' };
>
> for (int i = 0; i < REMOVE_CHAR.length; i++)
> s = s.replace(REMOVE_CHAR[i],' ');
> s = s.trim();
> return s;
> }
>
> >
> > This can probably be abused to get unauthorized access to the MySQL
> database.
>
>I don't understand how that would work, can you elaborate?
Well basically, you can use the single-quote to falsely "terminate" the SQL
statement, and then append additional "bad" SQL commands to the statement
by using a ";". The general idea for a malicious input string would then
look like:
' ; drop all databases ; #
Though this would not work in the existing jyve implementation (I believe
the JDBC driver thinks that the # which is a comment indicator, is invalid
SQL, but I could be wrong.)
For more references on this, check out:
http://www.wiretrip.net/rfp/p/doc.asp?id=42&iface=2
http://www.phrack.com/search.phtml?view&article=p54-8
http://www.mysql.com/Manual_chapter/manual_Privilege_system.html#General_sec
urity (section 6.1)
Regards,
-Gary Gurevich
--
--------------------------------------------------------------
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Archives and Other: <http://java.apache.org/main/mail.html>
Problems?: [EMAIL PROTECTED]
