Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20140520140702.GI1028@frohike.xs4all.nl>
Date: Tue, 20 May 2014 16:07:02 +0200
From: Peter Bex <Peter.Bex@...all.nl>
To: Open Source Security <oss-security@...ts.openwall.com>
Subject: Incorrect SQL identifier quotation rampant among popular web frameworks

Hello all,

Recently I've discovered that many popular web frameworks perform
incorrect quotation of identifiers in their query builders, leading
to potential SQL injection bugs.  This includes Laravel, FuelPHP,
Lithium, CodeIgniter and CakePHP and probably many others.

In most cases, this is only exploitable if the programmer (framework
user) makes the (debatable) "mistake" of querying attacker-controlled
column names, but in Laravel's case even simple mass assignment exposes
this vulnerability, *even* if some fields are $guarded against being
mass-assigned.

Unfortunately, most framework authors seem to dismiss this issue as
purely a user problem and might not even bother fixing the issue or
adding extra safeguards to the framework to achieve defense in depth.
This attitude only contributes to the security crisis, IMHO.

For more information, see my blog post at my employer's research blog:
http://www.codeyellow.nl/identifier-sqli.html

I don't know whether any of these deserve CVE IDs, especially
considering the aforementioned attitude; authors believe this is not
a bug (even in the case of Laravel).

I don't have the time, knowledge and energy to investigate every single
framework in every single language, but I think it's a good idea if the
community at large took a closer look at this particular class of bugs.
So far, the only framework which seems to do it 100% correctly is Ruby
on Rails.  But I must confess I didn't look beyond PHP, Python and Ruby.

In Python, the situation is a little more complicated: Django uses bad
identifier quotation but I have been unable to create a PoC, as it
seems to perform whitelisting everywhere on field names.  This warrants
further investigation, IMHO.

Cheers,
Peter Bex
-- 
http://www.more-magic.net

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.