OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

was message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: [Fwd: "exploit" edited]


This is for the discussion in the confcall today.
Peter

--------

Please note I changed tag names slightly from our discussion, now they
are "description" and "detail", seems to make more sense when I thought
about it.

         <description>
             <title>
             <!--  Title of the static part of vuln information.
                This will be the same for all instances of this vuln. -->
             SQL Injection
             </title>
             <abstract>
             <!-- Summary (short description) of vuln -->
             Using tainted data in database access.
             </abstract>
             <motivation>
             <!-- Summary description of the exploit. This may be typically
               for each instance of vuln.
                -->
             Utilizing specific program input points that affect
execution of SQL queries or session data directly, a malicious user
inserts meta-characters and commands into an SQL query before it is
executed in order to alter the effect of the query or to execute
additional commands.
             </motivation>

             <!-- Note there is no remediation. This is left to
               the vertical -->

             <!-- detailed description of the vulnerability -->
             <detail>
             Allowing unvalidated user input to affect the construction
or execution of an SQL query can leave your application vulnerable to
SQL Injection attacks. In this type of attack, a malicious user inserts
SQL meta-characters and commands into the query before it is executed to
alter the effect of the query or to execute additional commands. Thus,
you must validate user-supplied data to ensure that it does not contain
potentially harmful content. In particular, it is important to check
input for SQL meta-characters that may affect the execution of the
query, and escape such characters appropriately. If the content of the
particular query is known in advance, it is advisable to employ the
technique of white listing.  This approach specifies a set of characters
considered to be valid input and accepts input composed of those
characters only. The java.sql.PreparedStatement interface provides an
effective way to validate user input and protect queries from tampering.
A PreparedStatement object encapsulates a precompiled SQL statement. In
addition to preventing modification of the statement's meaning, this
object also provides an efficient means of executing the statement
multiple times. Additionally, the methods of this interface escape
special characters correctly before passing arguments to the precompiled
query.
             </detail>

         </description>


Also, the whole file attached.
I'll modify the schema once you confirm this looks fine.
Also: does this references section sound right?
         <references>
             <reference>
                 <name>evdl official test database</name>

<location>http://www.evdl.net/testdb?id=magnolia-9E9BC8AD2338EBBBF6986C4255409A6D</location>
                 <type>evdlDatabase</type>
             </reference>
             <reference>
                 <name>Injection White Paper</name>

<location>http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf</location>
                 <type>application/pdf</type>
             </reference>
             <reference>
                 <name>Injection Video</name>

<location>http://www.evdl.net/testdb/video?id=magnolia-9E9BC8AD2338EBBBF6986C4255409A6D</location>
                 <type>application/quick-time</type>
             </reference>
         </references>

Peter






<?xml version="1.0" encoding="UTF-8"?>
<evdl xmlns="http://www.oasis.org/evdl-0.1"; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:schemaLocation="http://www.oasis.org/evdl-0.1 C:\was\010805\evdl-0.1.xsd">
	<metaData>
		<ID>magnolia-9E9BC8AD2338EBBBF6986C4255409A6D</ID>
		<restrictions>
			<license>
				<licenseType>GPL</licenseType>
				<licenseVersion>1.0</licenseVersion>
			</license>
		</restrictions>
		<history>
			<version>
				<versionNumber>1</versionNumber>
				<releaseDate>2004-08-24T17:51:16</releaseDate>
				<changeDesc/>
				<author>
					<name>Fred Secman</name>
					<email>sec@mycompany.org</email>
					<company>mycompany.org</company>
					<address>none</address>
					<uri>http://www.mycompany.org/</uri>
				</author>
			</version>
		</history>
	</metaData>
	<profile>
		<vulnTypes>
			<vuln>Injection</vuln>
		</vulnTypes>
		<riskRanking>
			<threat/>
			<impact/>
		</riskRanking>

		<references>
			<reference>
				<name>evdl official test database</name>
				<location>http://www.evdl.net/testdb?id=magnolia-9E9BC8AD2338EBBBF6986C4255409A6D</location>
				<type>evdlDatabase</type>
			</reference>
			<reference>
				<name>Injection White Paper</name>
				<location>http://www.spidynamics.com/papers/SQLInjectionWhitePaper.pdf</location>
				<type>application/pdf</type>
			</reference>
			<reference>
				<name>Injection Video</name>
				<location>http://www.evdl.net/testdb/video?id=magnolia-9E9BC8AD2338EBBBF6986C4255409A6D</location>
				<type>application/quick-time</type>
			</reference>
		</references>
		<locationOfIssue>
			<version>a1</version>
			<os>Windows XP</os>
			<arch>X86</arch>
			<vm/>
			<lang>C</lang>
			<!-- 
			-->
			<pointer>
				<line>256</line>
				<URI/>
				<stackTrace/>
				<filePath/>
				<module/>
			</pointer>
			<application>
				<type>server</type>
			</application>
			<vendor>
				<name>magnolia.org</name>
				<homepage>http://sourceforge.net/projects/magnolia/</homepage>
				<contactEmail>magnolia@users.sourceforge.net</contactEmail>
			</vendor>
		</locationOfIssue>

		<description>
			<title>
			<!--  Title of the static part of vuln information.
			   This will be the same for all instances of this vuln. -->
			SQL Injection
			</title>
			<abstract> 
			<!-- Summary (short description) of vuln -->
			Using tainted data in database access.
			</abstract>
			<motivation> 
			<!-- Summary description of the exploit. This may be typically
			  for each instance of vuln.
			   -->
			Utilizing specific program input points that affect execution of SQL queries or session data directly, a malicious user inserts meta-characters and commands into an SQL query before it is executed in order to alter the effect of the query or to execute additional commands.
			</motivation>
			
			<!-- Note there is no remediation. This is left to 
			  the vertical --> 
			
			<!-- detailed description of the vulnerability -->
			<detail> 
			Allowing unvalidated user input to affect the construction or execution of an SQL query can leave your application vulnerable to SQL Injection attacks. In this type of attack, a malicious user inserts SQL meta-characters and commands into the query before it is executed to alter the effect of the query or to execute additional commands. Thus, you must validate user-supplied data to ensure that it does not contain potentially harmful content. In particular, it is important to check input for SQL meta-characters that may affect the execution of the query, and escape such characters appropriately. If the content of the particular query is known in advance, it is advisable to employ the technique of white listing.  This approach specifies a set of characters considered to be valid input and accepts input composed of those characters only. The java.sql.PreparedStatement interface provides an effective way to validate user input and protect queries from tampering. A PreparedStatement object encapsulates a precompiled SQL statement. In addition to preventing modification of the statement's meaning, this object also provides an efficient means of executing the statement multiple times. Additionally, the methods of this interface escape special characters correctly before passing arguments to the precompiled query.
			</detail>

		</description>
		
		<rootCause>
			<cause>Implementation</cause>
		</rootCause>
		<relatedCauses>
			<cause>Design</cause>
			<cause>UnitTest</cause>
		</relatedCauses>
	</profile>
	<analysis>
		<AnalysisInfo>
			<Dataflow scope="global">
				<Sink>
					<Method name="java.io.File.createNewFile()" argument="-1">
						<File path="C:\projects\magnolia\src\com\obinary\cms\core\CacheHandler.java" lineStart="67" lineEnd="67" colStart="18" colEnd="32"/>
					</Method>
				</Sink>
				<Node>
					<Method name="com.obinary.cms.core.CacheHandler.getDestinationFile(java.lang.String)" argument="-1">
						<File path="C:\projects\magnolia\src\com\obinary\cms\core\CacheHandler.java" lineStart="64" lineEnd="64" colStart="25" colEnd="47"/>
					</Method>
				</Node>
				<Node>
					<Method name="java.io.File.File(java.lang.String)" argument="0">
						<File path="C:\projects\magnolia\src\com\obinary\cms\core\CacheHandler.java" lineStart="139" lineEnd="139" colStart="17" colEnd="59"/>
					</Method>
				</Node>
				<Node>
					<Method name="java.io.File.File(java.lang.String)" argument="0">
						<File path="C:\projects\magnolia\src\com\obinary\cms\core\CacheHandler.java" lineStart="139" lineEnd="139" colStart="17" colEnd="59"/>
					</Method>
				</Node>
				<Node>
					<Method name="java.lang.StringBuffer.toString()" argument="-1">
						<File path="C:\projects\magnolia\src\com\obinary\cms\core\CacheHandler.java" lineStart="139" lineEnd="139" colStart="49" colEnd="58"/>
					</Method>
				</Node>
				<Node>
					<Method name="java.lang.StringBuffer.toString()" argument="-1">
						<File path="C:\projects\magnolia\src\com\obinary\cms\core\CacheHandler.java" lineStart="139" lineEnd="139" colStart="49" colEnd="58"/>
					</Method>
				</Node>
				<Node>
					<Method name="java.lang.StringBuffer.append(java.lang.String)" argument="0">
						<File path="C:\projects\magnolia\src\com\obinary\cms\core\CacheHandler.java" lineStart="138" lineEnd="138" colStart="16" colEnd="35"/>
					</Method>
				</Node>
				<Node>
					<Method name="java.lang.StringBuffer.append(java.lang.String)" argument="0">
						<File path="C:\projects\magnolia\src\com\obinary\cms\core\CacheHandler.java" lineStart="138" lineEnd="138" colStart="16" colEnd="35"/>
					</Method>
				</Node>
				<Node>
					<Method name="java.lang.String.split(java.lang.String)" argument="-1">
						<File path="C:\projects\magnolia\src\com\obinary\cms\core\CacheHandler.java" lineStart="129" lineEnd="129" colStart="30" colEnd="39"/>
					</Method>
				</Node>
				<Node>
					<Method name="java.lang.String.split(java.lang.String)" argument="-1">
						<File path="C:\projects\magnolia\src\com\obinary\cms\core\CacheHandler.java" lineStart="129" lineEnd="129" colStart="30" colEnd="39"/>
					</Method>
				</Node>
				<Node>
					<Method name="com.obinary.cms.core.CacheHandler.getDestinationFile(java.lang.String)" argument="0">
						<File path="C:\projects\magnolia\src\com\obinary\cms\core\CacheHandler.java" lineStart="64" lineEnd="64" colStart="25" colEnd="47"/>
					</Method>
				</Node>
				<Node>
					<Method name="com.obinary.cms.core.PathUtil.getURI(javax.servlet.http.HttpServletRequest)" argument="-1">
						<File path="C:\projects\magnolia\src\com\obinary\cms\core\CacheHandler.java" lineStart="59" lineEnd="59" colStart="31" colEnd="45"/>
					</Method>
				</Node>
				<Source>
					<Method name="javax.servlet.http.HttpServletRequest.getRequestURI()" argument="-1">
						<File path="C:\projects\magnolia\src\com\obinary\cms\core\PathUtil.java" lineStart="83" lineEnd="83" colStart="20" colEnd="34"/>
					</Method>
				</Source>
			</Dataflow>
		</AnalysisInfo>
	</analysis>
</evdl>



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]