[thelist] The URL SemiColon Exploit

Damian Maclennan damian_mac at hotmail.com
Wed Jan 16 05:37:54 CST 2002 

Hi

You also want to filer out apostrophes. But the best way to prevent this is 
to use stored procedures with paramters instead of dynamic SQL. This will 
solve 99% of your problems.

Damian


>From: "Dan Slater" <dan_slater at imaginuity.com>
>Reply-To: thelist at lists.evolt.org
>To: <thelist at lists.evolt.org>
>Subject: [thelist] The URL SemiColon Exploit
>Date: Tue, 15 Jan 2002 14:48:38 -0600
>
>Hi all,
>
>I've been wrestling with this problem for some time now.
>
>In case you didn't know, there's a way to pass any SQL Server command via
>the URL by simply adding a semicolon at the end of the address, followed by
>the SQL command.  Apparently it only works if you pass a URL parameter
>first. (example:  mysite.com?thisVar=True)
>
>Trying to prevent this exploit has proven to be quite a challenge.
>
>One option is to create a brand new user (as the cold fusion login to the
>datasource(s) and only grant certain priveleges to that user.  A great 
>idea,
>but seemingly impossible to implement given my limited ability as a SQL
>Server DBA.
>
>The other option I explored was to create two of each DSN and grant only
>SELECT, UPDATE, INSERT permissions to one, while the other DSN was 
>unlimited
>in ability - but only available to administrative pages.  The problem with
>this is that the site i'm trying to fix has made extensive use of stored
>procedures.  I can give the DSN permission to execute stored procedures -
>but that would then allow a malicious user to execute several "bad" SP's.
>
>The third option, and i think the best.  Is to check for the existence of a
>semicolon on every page load, and handle it there.
>
>To that end, i've added the following code in the root dirs 
>application.cfm:
>
><cfset BadChar=";">
><cftry> <!--- Require CH_Number --->
>	<cfif ListContains(cgi.query_string,BadChar,1) NEQ 0>
>		<cfthrow message="Invalid Operation">
>	</cfif>
>	<cfcatch>
>		<h1>Invalid Operation!!!!</h1>
>		<a href="http://www.thehomepage.com">Back to the homepage!</a>
>		<cfabort>
>	</cfcatch>
></cftry>
>
>Basically, i'm just checking the url for any semicolons, and if found, let
>the user know what the issue is, provide them with a link to the homepage
>and abort the rest of the page loading.
>
>Does this sound like a good way to defeat the use of the semicolon exploit?
>Since i've found no other examples of this "technique" - i'm wondering if
>i'm missing something here that could easily defeat my "fix".
>
>Thanks in advance,
>
>
>Dan Slater
>
>
>--
>For unsubscribe and other options, including
>the Tip Harvester and archive of TheList go to:
>http://lists.evolt.org Workers of the Web, evolt !




_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp.

More information about the thelist mailing list