From: | "Lars Preben S(dot) Arnesen" <l(dot)p(dot)arnesen(at)usit(dot)uio(dot)no> |
---|---|
To: | tony <tony(at)animaproductions(dot)com> |
Cc: | postgres list <pgsql-general(at)postgresql(dot)org> |
Subject: | Re: User permissions |
Date: | 2002-03-14 14:59:17 |
Message-ID: | yfr3cz3qjp6.fsf@lpsa.uio.no |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-general |
[ tony ]
> You have got me worried. How is "select * from password" submited to a
> database table going to execute?
Let's say you have a login form with two input fields: username and
password. The input from the form then is inserted into a select
query:
SELECT * FROM user WHERE username = '<USERINPUT>' AND password = '<USERINPUT';
If you don't quote the the user input, then it's possible for the user
to insert the following in for instance the username field:
mark'; --
The query now is:
SELECT * FROM user WHERE username = 'mark'; -- AND password = '<USERINPUT';
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
The password test is now execluded due to the comment, and guess what
happens if the user table contains a user with the username 'mark'. I
guess you have access to whatever the web application tries to
protect. Often it's easy to guess usernames. :)
If your database user has permissions to delete touples, it would be
quite disasterous if a user submitted the following string:
foo'; delete from user; --
Yeah, but the web user doesn't know that the table is named "user"...
It's not hard to guess in this case and I suspect it's quite easy to
guess in most cases. BTW: It's much easier if the web application
sends error messages from the database to the web inteface. For
instance if the SQL statement tries to access tables that doesn't
exist, the web user shouldn't be noticed exactly what has gone wrong.
The solution here is of course to quote every instance of "'" so that
the web user isn't able to mess up your SQL queries, but there are a
lot of programmers that aren't aware of this problem. Some web
application enviroments (like WebObjects which I have used)
automatically quotes the input for you.
> I know I can try to submit code via the URL but I was under the
> impression that the java security folk had cleaned that one up? As for
> sql code that will ececute it is beyond me.
I don't know what infrastructure your application is based on, but it
might be taken care of in your case or you have to do it your self.
> Please send me a working example offlist so that I can try it on my
> current project.
I don't have a concrete example since I'm not familiar with the
infrastructure you use, but from what I wrote above you can atleast
test for one common weakness. Anyway: This might be some off topic,
but it is (or should be :) common knowledge, so I also sent it to the
list. :)
--
Lars Preben
From | Date | Subject | |
---|---|---|---|
Next Message | Dean Scott | 2002-03-14 15:05:01 | Re: Adding a Language and Creating a Function |
Previous Message | Hillensbeck, Preston | 2002-03-14 14:57:49 | Random Numbers/Letters |