At 22:03 11/07/01 -0400, you wrote: >Product: Numerous CGI's [snip] >Cause: Failure to validate input The pipe character is often used as a delimiter in flatfile databases, sure, but there are many more reasons for filtering pipe's out of user input! This really is as old as the hills. The example given is relatively minor compared to more sophisticated techniques, and is hardly worth an adivsory all to itself IMHO. *If you are not sanitising user input you should not be writing CGI scripts.* >Solution: >Ideally, SQL databases should be used instead of flat file databases. Hardly. Whilst you may prevent this specific method, by using an SQL implimentation you open up a whole new can of worms, where ' and " can be used for similar tricks, which is more likely to be required in user data than a comparitively uncommon pipe. (See the 'MySQL Reference Manual' Chapters 6.1 & 6.2.) If you still aren't sanitising properly, using SQL (or anything else for that matter) is just as dangerous! I'd advise sanitising input properly in the first place, regardless of back-end: http://www.cert.org/tech_tips/cgi_metacharacters.html More issues to be aware of (from rfp): http://www.wiretrip.net/rfp/p/doc.asp?id=6&iface=2 ... or see Phrack issue 55. Jon Whitlock.
This archive was generated by hypermail 2b30 : Sun Jul 15 2001 - 20:13:52 PDT