WebApp Sec mailing list archives
Re: Serverside script injection?
From: "JAMES J FERRARA" <jferr007 () odu edu>
Date: Mon, 13 Jan 2003 03:41:32 -0500
At the base of this, I believe, is the principle that 100% of user input must go through a parsing process. For PHP, this means addslashes(), especially for something that goes into mySQL or any other SQL statement. I once saw a nslookup tool that took user input in the form of an IP address or a hostname as $input and ran the command system("nslookup $input"); or somesuch; without filtering, we can see the drastic effects this could have (ns.php?input=127.0.0.1%20&&%20rm%20/%20-rf). -James Ferrara SIG: Looking for an internship in the Wash DC area.
To:joh ket <johket () hotmail com> cc:webappsec () securityfocus com bcc: Subject:Re: Serverside script injection? From: Peter Conrad <conrad () tivano de> Date: 01/13/2003 09:12 AM CET Hi, On Fri, Jan 10, 2003 at 09:05:31AM -0000, joh ket wrote:I have a question regarding serverside script injection. Does it exist - is it possible?Depending on how you'd define "serverside script injection" the answer would usually be "yes". :-)In the past there were some vulnerabilities in serverside scripts. It
was
possible to execute OS-commands through URL/userinput manipulation, I assume this happened mostly with CGI and perl scripts. Was this just based on the way the variables (userinput) was used in OS commands, and if the 'user data' was able to break out the intended command?That was (is?) a quite common problem, but probably not the only one.I think it depends on the applicationserver software if 'serverside
script
injection' is possible or not (assuming the programmer/coder does not
want
any security).No! The programmer of a web application *must* be aware of the security implications of his programs. Otherwise I think it is possible in *any* application server (that allows turing-complete programming) to write a program that can be exploited. It is true that some application servers make this easier than others.Is it (theoretically) possible on ASP servers to inject 'malicious' code into the webpage, so that it is processed on the serverside? Is it possible on PHP or Coldfusion?I remember a posting (probably on bugtraq) a couple of days ago, where some user data was being written to a file, and the username was used as the filename. So if your username was "someone.php" and you requested that file via HTTP the server would parse it as a PHP page - executing any commands you had embedded in your "user data". That kind of thing would work on an ASP or JSP server as well. Bye, Peter -- Peter Conrad Tel: +49 6102 / 80 99 072 [ t]ivano Software GmbH Fax: +49 6102 / 80 99 071 Bahnhofstr. 18 63263 Neu-Isenburg Germany
Current thread:
- Re: Serverside script injection? JAMES J FERRARA (Jan 13)
- <Possible follow-ups>
- Serverside script injection? joh ket (Jan 15)
- Re: Serverside script injection? Peter Conrad (Jan 13)
- Re: Serverside script injection? Marco Aldegheri (Jan 13)
- Re: Serverside script injection? Jeff Williams @ Aspect (Jan 13)