Re: [AOLSERVER] Is this vulnerable to sql injection?

Fri, 04 Dec 2009 15:42:22 -0800 

reading the last discussion ...
aside the magic words from Don to just change $id to :id that would solve the issue and the nice and very conceptual answer from jeff i tried to play a bit in attempt to understand and and practice the sqlinjection stuff 

I tried to run the following tcl script

set id 1456
set sql_query "select * from acs_objects where object_id = :id"
set db [ns_db gethandle]
set selection [ns_db select $db $sql_query]
ns_db getrow $db $selection



but i got an error at [ns_db gethandle]
i ran the scripts from tcl page within directory www


how do i fix it?

iuri



[04/Dec/2009:08:24:14][2307.2998479792][-default:3-] Error: dbinit: db 
handle limit exceeded: thread already owns 1 handle from pool 'pool1'
[04/Dec/2009:08:24:14][2307.2998479792][-default:3-] Warning: 
/sqlinjection has no doc(title) set.
[04/Dec/2009:08:24:14][2307.2998479792][-default:3-] Error: GET 
http://192.168.1.15/sqlinjection?

referred by ""
could not allocate 1 handle(s) from pool "pool1"
   while executing
"ns_db gethandle"
   ("uplevel" body line 5)
   invoked from within
"uplevel {

set id 1456
set sql_query "select * from acs_objects where object_id = :id"
set db [ns_db gethandle]
set selection [ns_db select $db $sql_q..."

   (procedure 
"code::tcl::/usr/local/aolserver/servers/openacs/www/sqlinjec..." line 2)

   invoked from within
"code::tcl::$__adp_stub"
   ("uplevel" body line 12)
   invoked from within
"uplevel {

   if { [file exists $__adp_stub.tcl] } {


     # ensure that data source preparation procedure exists and is 
up-to-date

     adp_init t..."
   (procedure "adp_prepare" line 2)
   invoked from within
"adp_prepare"
   invoked from within
"template::adp_parse [file root [ad_conn file]] {}"
   (procedure "adp_parse_ad_conn_file" line 6)
   invoked from within
"$handler"
   ("uplevel" body line 2)
   invoked from within
"uplevel $code"
   invoked from within
"ad_try {
               $handler
           } ad_script_abort val {
               # do nothing
           }"
   invoked from within
"rp_serve_concrete_file [ad_conn file]"
   (procedure "rp_serve_abstract_file" line 60)
   invoked from within
"rp_serve_abstract_file "$root/[ad_conn extra_url]""
   ("uplevel" body line 2)
   invoked from within
"uplevel $code"
   invoked from within
"ad_try {
           rp_serve_abstract_file "$root/[ad_conn extra_url]"
           set tcl_url2file([ad_conn url]) [ad_conn file]
           set tcl..."

[04/Dec/2009:08:24:20][2307.2997423024][-sched:17-] Notice: Running 
notification::sweep::sweep_notifications





Jeff Rogers wrote:

The short answer is yes, it might be vulnerable; it depends on what 
scrubbing you do of your input data.



The good news it that it's also fairly easy to fix.  If you're using 
openacs then there's already a set of tools 
(check_for_form_variable_naughtiness) for checking what is being 
passed into your forms.



Otherwise, you could add in a site-wide filter that checks various 
well-known form vars (such as "id") for stuff that shouldn't be there 
(like non-integers).



Unfortunately the postgres driver doesn't protect against against dml 
injection.  I'm fairly certain it wasn't possible to do so before 
postgres 8 because of the APIs available, and the driver probably 
hasn't been updated to use the new APIs (PQexecParams instead of 
PQexec) and besides, doing so would probably break existing code.



There's another subtler problem too, in that the db drivers support 3 
different query methods - select, dml, and generic exec.  However, if 
the generic exec method is supported at all, then the (possibly) more 
specific select or dml calls are not used.


-J


I've been alerted that a site I maintain, running on AOLserver 4.5.0
using the nspostgres driver, may be vulnerable to sql injection.

A typical adp page performs a query like this:

set sql_query "select * from sometable where entrynumber = $id"
set db [ns_db gethandle]
set selection [ns_db select $db $sql_query]
ns_db getrow $db $selection
...

I would guess that "ns_db select" would make any damaging injected dml
statements impossible.  Is that correct?

In a previous discussion thread here ("ns_db and bind variable
support") I see "ns_db prepare..." mentioned.  Is that a safer way to
perform db queries in adp pages?

/Björn


--
AOLserver - http://www.aolserver.com/


To Remove yourself from this list, simply send an email to 
<lists...@listserv.aol.com> with the
body of "SIGNOFF AOLSERVER" in the email message. You can leave the 
Subject: field of your email blank.



--
AOLserver - http://www.aolserver.com/


To Remove yourself from this list, simply send an email to 
<lists...@listserv.aol.com> with the
body of "SIGNOFF AOLSERVER" in the email message. You can leave the 
Subject: field of your email blank.





--
AOLserver - http://www.aolserver.com/

To Remove yourself from this list, simply send an email to 
<lists...@listserv.aol.com> with the
body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject: 
field of your email blank.























					Reply via email to