Re: [AOLSERVER] Is this vulnerable to sql injection?
I've been alerted that a site I maintain, running on AOLserver 4.5.0
using the nspostgres driver, may be vulnerable to sql injection.
A typical adp page performs a query like this:
set sql_query select * from sometable where entrynumber = $id
In a previous discussion thread here (ns_db and bind variable
support) I see ns_db prepare... mentioned. Is that a safer way to
perform db queries in adp pages?
Yes, you're vulnerable to a SQL injection attack in the example above, if the
id variable is coming from the user. Most every web programming language has
the same vulnerability.
You need to quote-protect any input from a user to prevent this attack. I use:
proc sqlquote {in} {
regsub -all ' $in '' out
return $out
}
otherwise the user can put an end-quote in the input they send you, and then
put their own sql statement in to execute. It's a very simple attack to perform.
ie your code should look like this:
set sql_query select * from sometable where entrynumber = [sqlquote $id]
Note that SQLlite has built-in Tcl support that does this automatically, which
is very convenient.
-john
--
AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to
lists...@listserv.aol.com with the
body of SIGNOFF AOLSERVER in the email message. You can leave the Subject:
field of your email blank.
Re: [AOLSERVER] Is this vulnerable to sql injection?
On Dec 4, 2009, at 8:00 AM, bthj wrote: In a previous discussion thread here (ns_db and bind variable support) I see ns_db prepare... mentioned. Is that a safer way to perform db queries in adp pages? Just use the bind variable emulation ... select * from foo where id = :id rather than $id. SQL smuggling fears gone forever ... Don Baccus http://donb.photo.net http://birdnotes.net http://openacs.org -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to lists...@listserv.aol.com with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] Is this vulnerable to sql injection?
On 12/4/09 11:00 AM, bthj wrote: set sql_query select * from sometable where entrynumber = $id Replace $id with [ns_dbquotevalue $id] instead. -- Dossy Shiobara | do...@panoptic.com | http://dossy.org/ Panoptic Computer Network | http://panoptic.com/ He realized the fastest way to change is to laugh at your own folly -- then you can let go and quickly move on. (p. 70) -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to lists...@listserv.aol.com with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] Is this vulnerable to sql injection?
On Dec 4, 2009, at 10:29 AM, Jeff Rogers wrote: Unfortunately the postgres driver doesn't protect against against dml injection. The bind variable emulation does. It essentially does the quoting that an earlier poster recommended one do manually. No muss, no fuss... Don Baccus http://donb.photo.net http://birdnotes.net http://openacs.org -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to lists...@listserv.aol.com with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank.
Re: [AOLSERVER] Is this vulnerable to sql injection?
reading the last discussion ...
aside the magic words from Don to just change $id to :id that would
solve the issue
and the nice and very conceptual answer from jeff
i tried to play a bit in attempt to understand and and practice the
sqlinjection stuff
I tried to run the following tcl script
set id 1456
set sql_query select * from acs_objects where object_id = :id
set db [ns_db gethandle]
set selection [ns_db select $db $sql_query]
ns_db getrow $db $selection
but i got an error at [ns_db gethandle]
i ran the scripts from tcl page within directory www
how do i fix it?
iuri
[04/Dec/2009:08:24:14][2307.2998479792][-default:3-] Error: dbinit: db
handle limit exceeded: thread already owns 1 handle from pool 'pool1'
[04/Dec/2009:08:24:14][2307.2998479792][-default:3-] Warning:
/sqlinjection has no doc(title) set.
[04/Dec/2009:08:24:14][2307.2998479792][-default:3-] Error: GET
http://192.168.1.15/sqlinjection?
referred by
could not allocate 1 handle(s) from pool pool1
while executing
ns_db gethandle
(uplevel body line 5)
invoked from within
uplevel {
set id 1456
set sql_query select * from acs_objects where object_id = :id
set db [ns_db gethandle]
set selection [ns_db select $db $sql_q...
(procedure
code::tcl::/usr/local/aolserver/servers/openacs/www/sqlinjec... line 2)
invoked from within
code::tcl::$__adp_stub
(uplevel body line 12)
invoked from within
uplevel {
if { [file exists $__adp_stub.tcl] } {
# ensure that data source preparation procedure exists and is
up-to-date
adp_init t...
(procedure adp_prepare line 2)
invoked from within
adp_prepare
invoked from within
template::adp_parse [file root [ad_conn file]] {}
(procedure adp_parse_ad_conn_file line 6)
invoked from within
$handler
(uplevel body line 2)
invoked from within
uplevel $code
invoked from within
ad_try {
$handler
} ad_script_abort val {
# do nothing
}
invoked from within
rp_serve_concrete_file [ad_conn file]
(procedure rp_serve_abstract_file line 60)
invoked from within
rp_serve_abstract_file $root/[ad_conn extra_url]
(uplevel body line 2)
invoked from within
uplevel $code
invoked from within
ad_try {
rp_serve_abstract_file $root/[ad_conn extra_url]
set tcl_url2file([ad_conn url]) [ad_conn file]
set tcl...
[04/Dec/2009:08:24:20][2307.2997423024][-sched:17-] Notice: Running
notification::sweep::sweep_notifications
Jeff Rogers wrote:
The short answer is yes, it might be vulnerable; it depends on what
scrubbing you do of your input data.
The good news it that it's also fairly easy to fix. If you're using
openacs then there's already a set of tools
(check_for_form_variable_naughtiness) for checking what is being
passed into your forms.
Otherwise, you could add in a site-wide filter that checks various
well-known form vars (such as id) for stuff that shouldn't be there
(like non-integers).
Unfortunately the postgres driver doesn't protect against against dml
injection. I'm fairly certain it wasn't possible to do so before
postgres 8 because of the APIs available, and the driver probably
hasn't been updated to use the new APIs (PQexecParams instead of
PQexec) and besides, doing so would probably break existing code.
There's another subtler problem too, in that the db drivers support 3
different query methods - select, dml, and generic exec. However, if
the generic exec method is supported at all, then the (possibly) more
specific select or dml calls are not used.
-J
I've been alerted that a site I maintain, running on AOLserver 4.5.0
using the nspostgres driver, may be vulnerable to sql injection.
A typical adp page performs a query like this:
set sql_query select * from sometable where entrynumber = $id
set db [ns_db gethandle]
set selection [ns_db select $db $sql_query]
ns_db getrow $db $selection
...
I would guess that ns_db select would make any damaging injected dml
statements impossible. Is that correct?
In a previous discussion thread here (ns_db and bind variable
support) I see ns_db prepare... mentioned. Is that a safer way to
perform db queries in adp pages?
/Björn
--
AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to
lists...@listserv.aol.com with the
body of SIGNOFF AOLSERVER in the email message. You can leave the
Subject: field of your email blank.
--
AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to
lists...@listserv.aol.com with the
body of SIGNOFF AOLSERVER in the email message. You can leave the
Subject: field of your email blank.
--
AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to
lists...@listserv.aol.com with the
body of SIGNOFF AOLSERVER in the email message. You can leave the Subject:
field of your email blank.
Re: [AOLSERVER] Is this vulnerable to sql injection?
On Dec 4, 2009, at 3:15 PM, iuri de araujo sampaio wrote: reading the last discussion ... aside the magic words from Don to just change $id to :id that would solve the issue and the nice and very conceptual answer from jeff i tried to play a bit in attempt to understand and and practice the sqlinjection stuff I tried to run the following tcl script set id 1456 set sql_query select * from acs_objects where object_id = :id set db [ns_db gethandle] set selection [ns_db select $db $sql_query] ns_db getrow $db $selection but i got an error at [ns_db gethandle] i ran the scripts from tcl page within directory www how do i fix it? Since you're doing this in an openacs instance, use the openacs db_* API. Don Baccus http://donb.photo.net http://birdnotes.net http://openacs.org -- AOLserver - http://www.aolserver.com/ To Remove yourself from this list, simply send an email to lists...@listserv.aol.com with the body of SIGNOFF AOLSERVER in the email message. You can leave the Subject: field of your email blank.
