On Wed, Jul 11, 2001 at 10:03:40PM -0400, qDefense Advisories wrote: > qDefense Advisory Number QDAV-2001-7-1 > Product: Numerous CGI's > Vendor: Numerous Vendors This is probably the vaguest advisory I've ever seen. They might as well release an advisory which just says "some CGI authors are idiots" for all the useful information they've included. Worse than that, though, their so-called solution is nothing of the sort: > Solution: > Ideally, SQL databases should be used instead of flat file databases. The root of the problem is inadequate checking and quoting of user-supplied input. If a programmer fails to do this then -- quite apart from the fact that their CGI is probably open to a whole host of attacks including cross-site scripting -- moving to an SQL database backend will solve NOTHING. If anything it will make the problem worse, because it may be possible to run arbitrary SQL commands from unquoted user input containing a semicolon. The potential for damage is magnified. The correct solution (to this and indeed the vast majority of all CGI security holes) is to always quote/escape/clean/check all input from untrusted sources, preferably using a whitelist of acceptable characters rather than a blacklist of unacceptable ones which you might miss crucial stuff out of, and being extra careful when quoting to ensure that you correctly escape the quote character itself. Checking and quoting should be applied -after- decoding any %-encoded characters and doing any other necessary translations. Anyone who wants to write secure CGIs should also use taint checking, where available (eg in perl), as a matter of course. It won't catch every time you're being an idiot, but it certainly helps you to get into more secure programming habits. -- Ben/Jammin Wheeler <b.wheelerat_private>
This archive was generated by hypermail 2b30 : Sun Jul 15 2001 - 20:46:58 PDT