[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: [Fwd: "exploit" edited]
This is for the discussion in the confcall today. Peter -------- Please note I changed tag names slightly from our discussion, now they are "description" and "detail", seems to make more sense when I thought about it. <description> <title> <!-- Title of the static part of vuln information. This will be the same for all instances of this vuln. --> SQL Injection </title> <abstract> <!-- Summary (short description) of vuln --> Using tainted data in database access. </abstract> <motivation> <!-- Summary description of the exploit. This may be typically for each instance of vuln. --> Utilizing specific program input points that affect execution of SQL queries or session data directly, a malicious user inserts meta-characters and commands into an SQL query before it is executed in order to alter the effect of the query or to execute additional commands. </motivation> <!-- Note there is no remediation. This is left to the vertical --> <!-- detailed description of the vulnerability --> <detail> Allowing unvalidated user input to affect the construction or execution of an SQL query can leave your application vulnerable to SQL Injection attacks. In this type of attack, a malicious user inserts SQL meta-characters and commands into the query before it is executed to alter the effect of the query or to execute additional commands. Thus, you must validate user-supplied data to ensure that it does not contain potentially harmful content. In particular, it is important to check input for SQL meta-characters that may affect the execution of the query, and escape such characters appropriately. If the content of the particular query is known in advance, it is advisable to employ the technique of white listing. This approach specifies a set of characters considered to be valid input and accepts input composed of those characters only. The java.sql.PreparedStatement interface provides an effective way to validate user input and protect queries from tampering. A PreparedStatement object encapsulates a precompiled SQL statement. In addition to preventing modification of the statement's meaning, this object also provides an efficient means of executing the statement multiple times. Additionally, the methods of this interface escape special characters correctly before passing arguments to the precompiled query. </detail> </description> Also, the whole file attached. I'll modify the schema once you confirm this looks fine. Also: does this references section sound right? <references> <reference> <name>evdl official test database</name> <location>http://www.evdl.net/testdb?id=magnolia-9E9BC8AD2338EBBBF6986C4255409A6D</location> <type>evdlDatabase</type> </reference> <reference> <name>Injection White Paper</name> <location>http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf</location> <type>application/pdf</type> </reference> <reference> <name>Injection Video</name> <location>http://www.evdl.net/testdb/video?id=magnolia-9E9BC8AD2338EBBBF6986C4255409A6D</location> <type>application/quick-time</type> </reference> </references> Peter
<?xml version="1.0" encoding="UTF-8"?> <evdl xmlns="http://www.oasis.org/evdl-0.1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.oasis.org/evdl-0.1 C:\was\010805\evdl-0.1.xsd"> <metaData> <ID>magnolia-9E9BC8AD2338EBBBF6986C4255409A6D</ID> <restrictions> <license> <licenseType>GPL</licenseType> <licenseVersion>1.0</licenseVersion> </license> </restrictions> <history> <version> <versionNumber>1</versionNumber> <releaseDate>2004-08-24T17:51:16</releaseDate> <changeDesc/> <author> <name>Fred Secman</name> <email>sec@mycompany.org</email> <company>mycompany.org</company> <address>none</address> <uri>http://www.mycompany.org/</uri> </author> </version> </history> </metaData> <profile> <vulnTypes> <vuln>Injection</vuln> </vulnTypes> <riskRanking> <threat/> <impact/> </riskRanking> <references> <reference> <name>evdl official test database</name> <location>http://www.evdl.net/testdb?id=magnolia-9E9BC8AD2338EBBBF6986C4255409A6D</location> <type>evdlDatabase</type> </reference> <reference> <name>Injection White Paper</name> <location>http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf</location> <type>application/pdf</type> </reference> <reference> <name>Injection Video</name> <location>http://www.evdl.net/testdb/video?id=magnolia-9E9BC8AD2338EBBBF6986C4255409A6D</location> <type>application/quick-time</type> </reference> </references> <locationOfIssue> <version>a1</version> <os>Windows XP</os> <arch>X86</arch> <vm/> <lang>C</lang> <!-- --> <pointer> <line>256</line> <URI/> <stackTrace/> <filePath/> <module/> </pointer> <application> <type>server</type> </application> <vendor> <name>magnolia.org</name> <homepage>http://sourceforge.net/projects/magnolia/</homepage> <contactEmail>magnolia@users.sourceforge.net</contactEmail> </vendor> </locationOfIssue> <description> <title> <!-- Title of the static part of vuln information. This will be the same for all instances of this vuln. --> SQL Injection </title> <abstract> <!-- Summary (short description) of vuln --> Using tainted data in database access. </abstract> <motivation> <!-- Summary description of the exploit. This may be typically for each instance of vuln. --> Utilizing specific program input points that affect execution of SQL queries or session data directly, a malicious user inserts meta-characters and commands into an SQL query before it is executed in order to alter the effect of the query or to execute additional commands. </motivation> <!-- Note there is no remediation. This is left to the vertical --> <!-- detailed description of the vulnerability --> <detail> Allowing unvalidated user input to affect the construction or execution of an SQL query can leave your application vulnerable to SQL Injection attacks. In this type of attack, a malicious user inserts SQL meta-characters and commands into the query before it is executed to alter the effect of the query or to execute additional commands. Thus, you must validate user-supplied data to ensure that it does not contain potentially harmful content. In particular, it is important to check input for SQL meta-characters that may affect the execution of the query, and escape such characters appropriately. If the content of the particular query is known in advance, it is advisable to employ the technique of white listing. This approach specifies a set of characters considered to be valid input and accepts input composed of those characters only. The java.sql.PreparedStatement interface provides an effective way to validate user input and protect queries from tampering. A PreparedStatement object encapsulates a precompiled SQL statement. In addition to preventing modification of the statement's meaning, this object also provides an efficient means of executing the statement multiple times. Additionally, the methods of this interface escape special characters correctly before passing arguments to the precompiled query. </detail> </description> <rootCause> <cause>Implementation</cause> </rootCause> <relatedCauses> <cause>Design</cause> <cause>UnitTest</cause> </relatedCauses> </profile> <analysis> <AnalysisInfo> <Dataflow scope="global"> <Sink> <Method name="java.io.File.createNewFile()" argument="-1"> <File path="C:\projects\magnolia\src\com\obinary\cms\core\CacheHandler.java" lineStart="67" lineEnd="67" colStart="18" colEnd="32"/> </Method> </Sink> <Node> <Method name="com.obinary.cms.core.CacheHandler.getDestinationFile(java.lang.String)" argument="-1"> <File path="C:\projects\magnolia\src\com\obinary\cms\core\CacheHandler.java" lineStart="64" lineEnd="64" colStart="25" colEnd="47"/> </Method> </Node> <Node> <Method name="java.io.File.File(java.lang.String)" argument="0"> <File path="C:\projects\magnolia\src\com\obinary\cms\core\CacheHandler.java" lineStart="139" lineEnd="139" colStart="17" colEnd="59"/> </Method> </Node> <Node> <Method name="java.io.File.File(java.lang.String)" argument="0"> <File path="C:\projects\magnolia\src\com\obinary\cms\core\CacheHandler.java" lineStart="139" lineEnd="139" colStart="17" colEnd="59"/> </Method> </Node> <Node> <Method name="java.lang.StringBuffer.toString()" argument="-1"> <File path="C:\projects\magnolia\src\com\obinary\cms\core\CacheHandler.java" lineStart="139" lineEnd="139" colStart="49" colEnd="58"/> </Method> </Node> <Node> <Method name="java.lang.StringBuffer.toString()" argument="-1"> <File path="C:\projects\magnolia\src\com\obinary\cms\core\CacheHandler.java" lineStart="139" lineEnd="139" colStart="49" colEnd="58"/> </Method> </Node> <Node> <Method name="java.lang.StringBuffer.append(java.lang.String)" argument="0"> <File path="C:\projects\magnolia\src\com\obinary\cms\core\CacheHandler.java" lineStart="138" lineEnd="138" colStart="16" colEnd="35"/> </Method> </Node> <Node> <Method name="java.lang.StringBuffer.append(java.lang.String)" argument="0"> <File path="C:\projects\magnolia\src\com\obinary\cms\core\CacheHandler.java" lineStart="138" lineEnd="138" colStart="16" colEnd="35"/> </Method> </Node> <Node> <Method name="java.lang.String.split(java.lang.String)" argument="-1"> <File path="C:\projects\magnolia\src\com\obinary\cms\core\CacheHandler.java" lineStart="129" lineEnd="129" colStart="30" colEnd="39"/> </Method> </Node> <Node> <Method name="java.lang.String.split(java.lang.String)" argument="-1"> <File path="C:\projects\magnolia\src\com\obinary\cms\core\CacheHandler.java" lineStart="129" lineEnd="129" colStart="30" colEnd="39"/> </Method> </Node> <Node> <Method name="com.obinary.cms.core.CacheHandler.getDestinationFile(java.lang.String)" argument="0"> <File path="C:\projects\magnolia\src\com\obinary\cms\core\CacheHandler.java" lineStart="64" lineEnd="64" colStart="25" colEnd="47"/> </Method> </Node> <Node> <Method name="com.obinary.cms.core.PathUtil.getURI(javax.servlet.http.HttpServletRequest)" argument="-1"> <File path="C:\projects\magnolia\src\com\obinary\cms\core\CacheHandler.java" lineStart="59" lineEnd="59" colStart="31" colEnd="45"/> </Method> </Node> <Source> <Method name="javax.servlet.http.HttpServletRequest.getRequestURI()" argument="-1"> <File path="C:\projects\magnolia\src\com\obinary\cms\core\PathUtil.java" lineStart="83" lineEnd="83" colStart="20" colEnd="34"/> </Method> </Source> </Dataflow> </AnalysisInfo> </analysis> </evdl>
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]