Inadvertantly replied to just the poster with this one... -----Original Message----- From: Chris Tucker [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 15, 2001 11:16 AM To: [EMAIL PROTECTED] Subject: RE: Login Authentication against database...
Bob was quite right in pointing out the loophole: it does exist and will cause anyone to gain access to the system. This kind of security problem is pretty common, which is why it's important to be extremely rigorous in making sure that you don't allow any user tainted data (e.g. form submissions) to execute. In this case, the way we must do it is to escape our input (which we should ALWAYS be doing anyway). There are plenty of problems we can hit if we don't check user tainted data and escape/reject it as necessary. Imagine the following: String sql = "UPDATE UserLogin SET password = '" + password + "' WHERE userid = " + userid; Say we retrieve our input from a form: Userid: <number> Password: <string> Now lets suppose someone fills in that form as: userid: "1 OR 1=1" password: "mynewpass" If we just execute the SQL statement binding the value they offer for userid to our variable userid, and password to password, that person will have just changed the password of EVERY account in our system to be "mynewpass". The resultant SQL query that would have been executed to do this would be: UPDATE UserLogin SET password = 'mynewpass' WHERE userid = 1 OR 1=1 So in this case you have to make damn sure that they're only entering a number for userid, with no extraneous rubbish! This problem even exists if you prompt for the old password first: the user can bypass everything with their OR 1=1 (and even if you start getting clever, they may still be able to muck about with comments to break it: one of the reasons the -- comment is slowly being deprecated...) This is the main reason why I find it hard to believe that in the PreparedStatement world these things aren't taken care of: it's such a common problem, with such potentially disastrous results, that I have to believe the JDBC folk worked on it. Cheers, Chris -----Original Message----- From: A mailing list about Java Server Pages specification and reference [mailto:[EMAIL PROTECTED]]On Behalf Of David Nguyen Sent: Thursday, November 15, 2001 10:31 AM To: [EMAIL PROTECTED] Subject: Re: Login Authentication against database... Agree. I believe the single quote operator overwrite the comment. Anyone can confirm that? Interesting interpretation though, Tim) david -----Original Message----- From: A mailing list about Java Server Pages specification and reference [mailto:[EMAIL PROTECTED]]On Behalf Of Chris Tucker Sent: Thursday, November 15, 2001 10:33 AM To: [EMAIL PROTECTED] Subject: Re: Login Authentication against database... Tim, Simply making sure you escape any single-quotes in your input string to single-quote single-quote will fix the problem. But I feel that JDBC should have some "official" way of doing this for you (seeing as how Java Strings are fixed length, buggering about with replacing one character with two others is inefficient and a little awkward). Just to demonstrate the point, Bob's loophole would then result in a query of: "select * from username='x'' or 1=1 --' and password='x'" which will simple check to see if the username is "x' or 1=1 --" and the password is "x" -- clearly, unless you have a user with that name and password, this query will not succeed. Chris -----Original Message----- From: A mailing list about Java Server Pages specification and reference [mailto:[EMAIL PROTECTED]]On Behalf Of Chen, Gin Sent: Thursday, November 15, 2001 10:21 AM To: [EMAIL PROTECTED] Subject: Re: Login Authentication against database... I mean now behind .. :-P -----Original Message----- From: Chen, Gin [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 15, 2001 1:20 PM To: [EMAIL PROTECTED] Subject: Re: Login Authentication against database... Thats interesting. I didnt realize that he meant it as a single string value. Actually what you mean is that the query would be "select * from username='x' or 1=1 --' and password='x'" Notice that the extra ' that gave me an error before is not behind the comment marker Nice Catch Bob. Now what security measure do you suggest? -Tim -----Original Message----- From: David Nguyen [mailto:[EMAIL PROTECTED]] Sent: Thursday, November 15, 2001 12:53 PM To: [EMAIL PROTECTED] Subject: Re: Login Authentication against database... Interesting. Actually what he wanted to point out is a possible loophole in the auhentication method discussed. I can imagine if this query is launched: "select * from username='anybody' or 1=1 -- and password='tiger'" then anybody can access the application (since the -- would make the password irrelevant. With Bob's parameter, the query would be "select * from username='anybody'' or 1=1' -- and password='tiger'" here the string anybody is 'anybody" or 1=1' (I didn't try though) david -----Original Message----- From: A mailing list about Java Server Pages specification and reference [mailto:[EMAIL PROTECTED]]On Behalf Of Joe Cheng Sent: Thursday, November 15, 2001 9:33 AM To: [EMAIL PROTECTED] Subject: Re: Login Authentication against database... Celeste, what's a "more secure" means? now you've got me curious. and Bob wasn't pointing out a loophole, just calling attention to the non-escaped values in the SQL statement below. -jmc =========================================================================== To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST". Some relevant FAQs on JSP/Servlets can be found at: http://archives.java.sun.com/jsp-interest.html http://java.sun.com/products/jsp/faq.html http://www.esperanto.org.nz/jsp/jspfaq.jsp http://www.jguru.com/faq/index.jsp http://www.jspinsider.com =========================================================================== To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST". Some relevant FAQs on JSP/Servlets can be found at: http://archives.java.sun.com/jsp-interest.html http://java.sun.com/products/jsp/faq.html http://www.esperanto.org.nz/jsp/jspfaq.jsp http://www.jguru.com/faq/index.jsp http://www.jspinsider.com =========================================================================== To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST". Some relevant FAQs on JSP/Servlets can be found at: http://archives.java.sun.com/jsp-interest.html http://java.sun.com/products/jsp/faq.html http://www.esperanto.org.nz/jsp/jspfaq.jsp http://www.jguru.com/faq/index.jsp http://www.jspinsider.com =========================================================================== To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST". Some relevant FAQs on JSP/Servlets can be found at: http://archives.java.sun.com/jsp-interest.html http://java.sun.com/products/jsp/faq.html http://www.esperanto.org.nz/jsp/jspfaq.jsp http://www.jguru.com/faq/index.jsp http://www.jspinsider.com =========================================================================== To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST". Some relevant FAQs on JSP/Servlets can be found at: http://archives.java.sun.com/jsp-interest.html http://java.sun.com/products/jsp/faq.html http://www.esperanto.org.nz/jsp/jspfaq.jsp http://www.jguru.com/faq/index.jsp http://www.jspinsider.com =========================================================================== To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST". Some relevant FAQs on JSP/Servlets can be found at: http://archives.java.sun.com/jsp-interest.html http://java.sun.com/products/jsp/faq.html http://www.esperanto.org.nz/jsp/jspfaq.jsp http://www.jguru.com/faq/index.jsp http://www.jspinsider.com =========================================================================== To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST". For digest: mailto [EMAIL PROTECTED] with body: "set JSP-INTEREST DIGEST". Some relevant FAQs on JSP/Servlets can be found at: http://archives.java.sun.com/jsp-interest.html http://java.sun.com/products/jsp/faq.html http://www.esperanto.org.nz/jsp/jspfaq.jsp http://www.jguru.com/faq/index.jsp http://www.jspinsider.com
