Bugtraq mailing list archives
Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory)
From: rfp () WIRETRIP NET (rain forest puppy)
Date: Tue, 8 Feb 2000 12:30:49 -0600
Just wanted to drop a few notes in regards to what some people just brought up.. Barclay Osborn wrote:
Maybe I'm reading this wrong, but I've never been able to piggyback commands through mysql/DBI execute()'s, regardless of newlines, and even when I have privs:
No, you're correct. MySQL doesn't allow it. But the whole world does not use MySQL.
that's good, but you need to also make sure that your grant tables are set up correctly and you only accept from a predefined list of tables,
This deals with database-specific permissions and such. Kelly Setzer wrote:
No exceptions. Not even if something is supposed to fail with invalid input. Always check it. You know you don't control the client. You may be overestimating how much control you have over your backend, supporting software, or development environment.
Well said. Jaanus Kase wrote:
besides, when using PHP as front end, it has the nice AddSlashes and StripSlashes functions
What about Perl? TCL? C? ASP? CFML? And for all the people that sent me notes saying Oracle can do such-and-such, what about MySQL? MS SQL? Informix? Point being, I'm glad various products have their different little ways of partially helping deal with this problem. However, you shouldn't become dependant on a function contained within one language--you should be aware of the general issue, and be able to combat it regardless of backend DB or frontend language. My advisory specifically dealt with MySQL, but it was meant to be a general overview on unexpected input. Unexpected input is a problem of all worlds. So please don't acknowledge is as not a problem if, within your technical setup/world, it may be implicitly benign. Read between the lines, look beyond the methods. The issue is unexpected user data. Great if you are safe against the few methods I mentioned. but there are many more where that came from. You must be proactive in thought and planning on the whole, not reactive only to each little method mentioned. Think 'out of the box.' - rfp
Current thread:
- RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory) rain forest puppy (Feb 03)
- Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory) Jaanus Kase (Feb 04)
- Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory) Aaron Ross (Feb 08)
- Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory) Jeremy Whittington (Feb 08)
- Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory) Barclay Osborn (Feb 04)
- Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory) van der Meulen, Robert (Feb 05)
- DBI bind values [was Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory)] Kelly.Setzer () INGRAMENTERTAINMENT COM (Feb 07)
- Debian (frozen): Perms on /usr/lib/libguile.so.6.0.0 Jamie Fifield (Feb 05)
- Re: Debian (frozen): Perms on /usr/lib/libguile.so.6.0.0 Torsten Landschoff (Feb 08)
- <Possible follow-ups>
- Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory) rain forest puppy (Feb 08)
- Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory) Smith, Eric V. (Feb 09)
- Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory) W. Craig Trader (Feb 09)
- FireWall-1 FTP Server Vulnerability John McDonald (Feb 09)
- ASP Security Hole (fwd) bgreenbaum () SECURITYFOCUS COM (Feb 09)
- Re: ASP Security Hole (fwd) Rob Systhine (Feb 10)
- Multiple firewalls: FTP Application Level Gateway "PASV" Vulnerability Mikael Olsson (Feb 10)
- NT Service Pack requirements (Bell Atlantic DSL) Bob Kline (Feb 10)
- Re: NT Service Pack requirements (Bell Atlantic DSL) Jonathan M. Bresler (Feb 11)
- Re: RFP2K01 - "How I hacked Packetstorm" (wwwthreads advisory) Jaanus Kase (Feb 04)