|
Brought to you by:
Suppliers of:
|
|
|
| |
| Many CGIs store data (including passwords) in flat file databases, using special characters as field and row delimiters. Many types of those CGIs are vulnerable to various attacks that enable remote attackers to manipulate those databases, and gain additional privileges. CGIs that allow multiple users to log on, and grant certain users privileged or administrator status, are most likely to be exploitable. |
| |
Credit:
The information has been provided by qDefense Advisories.
|
| |
Many CGI's store data in a flat file database. A flat file database is a standard text file used to store database style (i.e., fields and rows) information. Fields are delimited by a special character, such as a pipe symbol ( | ) or a colon ( : ). Rows are usually delimited by a new line. A common example is the UNIX /etc/passwd file.
Unfortunately, data stored in this format is often susceptible to manipulation by an attacker. When the database is used to store both user supplied data (such as e-mail address), as well as system data (such as user privileges), an attacker may be able to manipulate the system data. By inserting a row or field delimiting character into the user-supplied data, the attacker can fool the database into thinking that the user-supplied data is actually the system data of a different row or field.
This is best illustrated by an example:
A particular CGI allows multiple users to log on to a web site. It allows anyone to log on, but provides additional privileges to paying customers. Furthermore, the webmaster may log on to modify the CGI settings. The CGI stores the user data in a flat file database, using the pipe symbol ( | ) as a field delimiter, and a new line as a row delimiter. The database stores the following fields: password, logon name, privilege level, first name, last name, and e-mail address. Here is a sample file:
qua53sar2|bill|admin|William|Smith|webmaster@letstalksports.com
moopus|joe|normal|Joe|Smith|joe@mailboxesrus.com
nopla|iceman|paying|Alfred|Lehoya|js124@abracadabra.com
sillypassword|hank|normal|Harold|Jenkins|hjenkins@aricdorsresearch.org
By registering with a last name containing URL-encoded new lines and pipes, an attacker can imbed a second line into his last name, which will be recorded as an entirely new line in the password file, containing whatever information the attacker wants. For instance, an attacker may register as follows:
Username = dummyuser
Password = gotya
Firstname = John
Lastname = Doe\nlivetohack|evilhacker|admin|Evil|Hacker
Email = evil@hackerstogo.com
Note: The "\n" symbol indicates the new line character, ASCII value 10.
When the URL is encoded and submitted properly, it will add two lines to the database. The example database will now look like this:
qua53sar2|bill|admin|William|Smith|webmaster@letstalksports.com
moopus|joe|normal|Joe|Smith|joe@mailboxesrus.com
nopla|iceman|paying|Alfred|Lehoya|js124@abracadabra.com|on
sillypassword|hank|normal|Harold|Jenkins|hjenkins@aricdorsresearch.org
gotya|dummyuser|normal|John|Doe
livetohack|evilhacker|admin|Evil|Hacker|evil@hackerstogo.com
As you can see, an entry, evilhacker, has been added with full admin status.
Solution:
Ideally, SQL databases should be used instead of flat file databases. If this is not viable, CGI developers should ensure that their CGI's remove delimiter characters from user supplied data. A redundancy of checking for delimiters before writing to the database is also advisable.
|
|
|
|
|
