[thelist] Web Database Security (was: how did they hack...)

Raymond Camden jedimaster at macromedia.com
Thu Apr 19 11:02:11 CDT 2001 

I don't _think_ your missing anything here, and CF also has auto single
quote escaping (except in special circumstances, see tip below). Another
thing to look out for... Imagine this situation:

User logs on. You perform a DB query to get all the Foos that belong to the
user. So, you do something like:

select * from foo
where ownerid = #session.myid#

You then provide a list of Foo and allow the user to click one to edit. On
the edit page, you nicely store the FooID in a hidden field like so:

<INPUT TYPE="hidden" NAME="FooID" VALUE="#fooid#">

This way, when the user submits the form, you know what Foo to update.
However, it would take me all of two seconds to save this form and change
the Foo, thereby allowing me edit access to other people's foo. How do you
get around this? Simple. Make sure that before you save the edits to the
record, you recheck to make sure that the user has access to the foo.

This is what I said as a general summary to my Web App Security class - If
you perform a certain security rule in one place, you must do it in every
place.

Another example. Your front page gets a list of press release titles, but
only where Published is < the current time. This is because you may have PRs
that are meant to be released later in the day/week/etc. If you link to a PR
View page where the ID of the PR to be displayed is passed, make sure you
check again to see if that particular PR has been published. THis is in case
someone mucks with the query string.

Sorry for being so long winded. :)

Off topic CF tip:
As you know, CF will automatically escape single quotes before passing a
value to a query. However, it will NOT do it if the variable is a structure.

Example:

<CFQUERY ..>
	insert into foo(x)
	values('#form.foo#')
</CFQUERY>

is safe. This is not....

<CFQUERY ..>
	insert into foo(x)
	values('#form["foo"]#')
</CFQUERY>

The value _is_ passed, but it is not checked for single quotes. Of course,
this is easy to get around. You can either do the replacement yourself, or
just do:
	<CFSET tmp = Form[key]>
and then pass tmp to the query.

=======================================================================
Raymond Camden, Principal Spectra Compliance Engineer for Macromedia

Email   : jedimaster at macromedia.com
ICQ UIN : 3679482

"My ally is the Force, and a powerful ally it is." - Yoda

> -----Original Message-----
> From: thelist-admin at lists.evolt.org
> [mailto:thelist-admin at lists.evolt.org]On Behalf Of Simon Coggins
> Sent: Thursday, April 19, 2001 11:52 AM
> To: the list
> Subject: [thelist] Web Database Security (was: how did they hack...)
>
> > http://www.webreview.com/2001/04_13/developers/index02.shtml
>
> That's a good article, but it did leave me with one question:
>
> I can understand how you can validate some fields to prevent malicious
> attacks (such as checking IDs are integers), but what do you do about text
> fields?
>
> At present I use sql like this in my PHP/MySQL applications:
>
> INSERT INTO TableName (name,email,comment) VALUES
> ('$name','$email','$comment')

More information about the thelist mailing list