Re: Serverside script injection?

["Jeff Williams @ Aspect" <jeff.williams () aspectsecurity com>]

You might want to look at WebGoat at OWASP. The last stage of the
challenge isn't exactly a script injection, but it works in a sort of
similar way.  You need to know about server-side include SSI syntax to
finish it.

--Jeff

Jeff Williams
jeff.williams () aspectsecurity com
Aspect Security, Inc.
www.aspectsecurity.com



----- Original Message -----
From: Marco Aldegheri
To: joh ket
Cc: webappsec () securityfocus com
Sent: Monday, January 13, 2003 8:51 AM
Subject: Re: Serverside script injection?


I found an example "built to duplicate some of PHPs built in
functionality" is suggested in:
www.planet-source-code.com/vb/scripts/ShowCode.asp?lngWId=4&txtCodeId=6278
where the VarsFromForm function captures the querystring and executes
some code based on it:

Public Sub VarsFromForm
     For Each item In request.form
     execute(item & "=""" & Replace(request.form(item), Chr(34),
Chr(34) & Chr(34)) & """")
     Next
     For Each item In request.QueryString
     execute(item & "=""" & Replace(request.QueryString(item), Chr(34),
Chr(34) & Chr(34)) & """")
     Next
End Sub

In a 'normal' use if the page is called like:
xyz.asp?a=1&b=2
'a' and 'b' variables would be created and assigned values "1" and "2".

If this page is called with a querystring like:
xyz.asp?response.write%20Application("password"):Pippo=1

the command [response.write Application("password")] is executed and the
value "1" is assigned to the variable Pippo ...


Best regards,
Marco Aldegheri, CISSP



joh ket wrote:
> Hi there.
>
>
> I have a question regarding serverside script injection. Does it exist -
>
> is it possible?
>
>
> In the past there were some vulnerabilities in serverside scripts. It
was
> possible to execute OS-commands through URL/userinput manipulation,
>
> I assume this happened mostly with CGI and perl scripts. Was this just
>
> based on the way the variables (userinput) was used in OS commands,
>
> and if the 'user data' was able to break out the intended command?
>
>
> I think it depends on the applicationserver software if 'serverside
script
> injection' is possible or not (assuming the programmer/coder does not
want
> any security). In my opinion most important is the way that the
>
> applicationserver handles variables. The possibility for variables to
>
> contain commands...
>
>
> Is it (theoretically) possible on ASP servers to inject 'malicious' code
>
> into the webpage, so that it is processed on the serverside?
>
> Is it possible on PHP or Coldfusion?
>
>
> Are there any real life examples?
>
> (so that I can play with it in my testlab)
>
>
> Thank you for all reactions!
>
>
> Regards,