At 22:03 11/07/01 -0400, you wrote:
>Product: Numerous CGI's
[snip]
>Cause: Failure to validate input
The pipe character is often used as a delimiter in flatfile databases, sure, but there
are many more reasons for filtering pipe's out of user input!
This really is as old as the hills.
The example given is relatively minor compared to more sophisticated techniques, and
is hardly worth an adivsory all to itself IMHO. *If you are not sanitising user input
you should not be writing CGI scripts.*
>Solution:
>Ideally, SQL databases should be used instead of flat file databases.
Hardly. Whilst you may prevent this specific method, by using an SQL implimentation
you open up a whole new can of worms, where ' and " can be used for similar tricks,
which is more likely to be required in user data than a comparitively uncommon pipe.
(See the 'MySQL Reference Manual' Chapters 6.1 & 6.2.) If you still aren't sanitising
properly, using SQL (or anything else for that matter) is just as dangerous!
I'd advise sanitising input properly in the first place, regardless of back-end:
http://www.cert.org/tech_tips/cgi_metacharacters.html
More issues to be aware of (from rfp):
http://www.wiretrip.net/rfp/p/doc.asp?id=6&iface=2
... or see Phrack issue 55.
Jon Whitlock.
