Full Disclosure mailing list archives
When standards attack...
From: H D Moore <fdlist () digitaloffense net>
Date: Thu, 20 Mar 2008 08:30:43 -0500
The WebKit folks just added client-side SQL database support: http://webkit.org/blog/126/webkit-does-html5-client-side-database-storage/ http://glazkov.com/blog/html5-gears-wrapper/ In addition to all of the existing attacks through a web browser, we can now take into account SQLite vulnerabilities and client-side SQL injection issues as well.
From the security section of the specification:
http://www.whatwg.org/specs/web-apps/current-work/multipage/section-sql.html#sql """ [ 4.11.8.1. User agents ] User agent implementors are strongly encouraged to audit all their supported SQL statements for security implications. For example, LOAD DATA INFILE is likely to pose security risks and there is little reason to support it. In general, it is recommended that user agents not support features that control how databases are stored on disk. For example, there is little reason to allow Web authors to control the character encoding used in the disk representation of the data, as all data in ECMAScript is implicitly UTF-16. [ 4.11.8.2. SQL injection ] Authors are strongly recommended to make use of the ? placeholder feature of the executeSql() method, and to never construct SQL statements on the fly. """ ...because letting developers choose to bind their query parameters has worked so well before ;-) -HD _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- When standards attack... H D Moore (Mar 20)
- Re: When standards attack... KJK::Hyperion (Mar 20)
- Re: When standards attack... Florian Weimer (Mar 21)