Snitz Forums 2000
Snitz Forums 2000
Home | Profile | Register | Active Topics | Members | Search | FAQ
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 Announcements
 Announcements: Community
 All MOD Developers should check their code!
 New Topic  Topic Locked
 Printer Friendly
Next Page
Author Previous Topic Topic Next Topic
Page: of 2

Aaron S.
Average Member

USA
985 Posts

Posted - 17 May 2002 :  09:20:02  Show Profile  Visit Aaron S.'s Homepage
All developers and especially MOD authors... please check your code to make sure you don't have the same members.asp bug.

This could affect anyone who uses the querystring to pass variables around.

Davio fixed the Email Validation MOD, but I suspect there are many MODs that are still left vunerable.

I am going to go thru the MODs on my site today, and I will post the results later on.

--Aaron



DOWNLOAD GREAT NEW MODS HERE

Davio
Development Team Member

Jamaica
12217 Posts

Posted - 17 May 2002 :  14:13:58  Show Profile
I actually found it in the 3.4 version by accident.

Basically if you pass variables or use variables taken from the URL, and enter them in a SQL Query, make sure you are passing it through the ChkString() function.

Be careful how you also use the Request function. If you are getting a value from the url avoid using Request("var") and use Request.QueryString("var") instead. Same goes if you are getting a value from the cookie or a form field. If you have to use Request("var") then make sure you check the value that is being passed.

That's just some of my own tips.

«------------------------------------------------------»
Want to know when the next version comes out,
as soon as possible? Join our Mailing Lists !
Go to Top of Page

Steve D.
Average Member

USA
640 Posts

Posted - 17 May 2002 :  15:35:27  Show Profile  Visit Steve D.'s Homepage  Send Steve D. a Yahoo! Message
Thanks, thoser are good tips, that don't cause that much extra work either!

----------------------------------------
Badges? We don't need no stinking badges
Go to Top of Page

Gremlin
General Help Moderator

New Zealand
7528 Posts

Posted - 17 May 2002 :  19:41:21  Show Profile  Visit Gremlin's Homepage
The Request tip is a good one for two reasons, not only does it prevent form data being able to be manipulated via URL querystrings, but its also fractionally faster if you specifiy Request.Form or Request.Querystring directly, else the server has to go and check all Request types to try and find a match for that variable.

www.daoc-halo.com
Go to Top of Page

HuwR
Forum Admin

United Kingdom
20584 Posts

Posted - 18 May 2002 :  03:58:21  Show Profile  Visit HuwR's Homepage
quote:

The Request tip is a good one for two reasons, not only does it prevent form data being able to be manipulated via URL querystrings, but its also fractionally faster if you specifiy Request.Form or Request.Querystring directly, else the server has to go and check all Request types to try and find a match for that variable.

www.daoc-halo.com


Yes but not always posible if you are passing data which could have been sent by the form or a URL, but as long as you don't just stick it in your query it doesn't matter it is just as easy to fake a form post as it is to fake a URL

Go to Top of Page

Gremlin
General Help Moderator

New Zealand
7528 Posts

Posted - 18 May 2002 :  18:40:41  Show Profile  Visit Gremlin's Homepage
quote:
easy to fake a form post as it is to fake a URL


Not really, the average joe wouldn't know how to fake a POST becuase you can't just do it via the browser.

The only way I know of faking a form POST is via telnet.

www.daoc-halo.com
Go to Top of Page

Aaron S.
Average Member

USA
985 Posts

Posted - 18 May 2002 :  18:49:03  Show Profile  Visit Aaron S.'s Homepage
You can using HTML or XML.

I have some code that check to see if the URL is from my domain (i.e. all posts came from my site)... if not it redirects to the homepage.

--Aaron

DOWNLOAD GREAT NEW MODS HERE
Go to Top of Page

Gremlin
General Help Moderator

New Zealand
7528 Posts

Posted - 18 May 2002 :  19:23:04  Show Profile  Visit Gremlin's Homepage
Can you post a link or email me info on how its done via HTML, I know one way but thats as big of a PITA as via Telnet, but maybe theres another way I've not thought of or come accross ?

www.daoc-halo.com
Go to Top of Page

Nathan
Help Moderator

USA
7664 Posts

Posted - 18 May 2002 :  23:46:02  Show Profile  Visit Nathan's Homepage
quote:

quote:
easy to fake a form post as it is to fake a URL


Not really, the average joe wouldn't know how to fake a POST becuase you can't just do it via the browser.



Its easier than pie Gremlin.

Nathan Bales
Snitz Exchange | Do's and Dont's
Go to Top of Page

Doug G
Support Moderator

USA
6493 Posts

Posted - 18 May 2002 :  23:50:59  Show Profile
For IE it takes just a few lines in a script using xmlhttp

..
var objXMLReq = new ActiveXObject( "Microsoft.XMLHTTP" );
objXMLReq.open( "POST", frmQuery.action, false );
objXMLReq.send( strRequest );
...


======
Doug G
======
Go to Top of Page

acemi
Starting Member

16 Posts

Posted - 19 May 2002 :  05:32:08  Show Profile
quote:
Basically if you pass variables or use variables taken from the URL, and enter them in a SQL Query, make sure you are passing it through the ChkString() function.


Passing variable through ChkString() function isn't enough, it must also be checked for the type. For example, ChkString() function can't prevent to inject SQL query, if the variable is numeric or boolean etc.

And we need this check for all data which come from the client side (for request.querystring, request.form, cookies. Also for the data come from the database or session variable if they take from client and are used for SQL query)

I think that something like the following will be better:

const DEFAULT_LNGVAR = 0
const DEFAULT_STRVAR = ""

if ChkType(request("lngVar"), "long") then
lngVar = request("lngVar")
else
lngVar = DEFAULT_LNGVAR
end if

if ChkType(request("strVar"), "string") then
strVar = request("strVar")
else
strVar = DEFAULT_STRVAR
end if

...
...

strSQL = "SELECT * " & _
"FROM TableName " & _
"WHERE lngField = " & clng(lngVar) " " & _
"AND strField = '" & ChkString(strVar,"SQLString") & "';"


Go to Top of Page

Gremlin
General Help Moderator

New Zealand
7528 Posts

Posted - 19 May 2002 :  05:37:53  Show Profile  Visit Gremlin's Homepage
I was thinking of those methods, but I also recalled reading somewhere that IIS shouldnt/wouldnt/couldnt(?) allow a form to be posted from a page not from the same webservice ... maybe I was reading about a 'future' relase of IIS at the time.

All of the mentioned 'hacks' involve a page outside the webserver being attacked.

www.daoc-halo.com
Go to Top of Page

Aaron S.
Average Member

USA
985 Posts

Posted - 19 May 2002 :  09:03:36  Show Profile  Visit Aaron S.'s Homepage
You are right... they must be from outside the webserver.

Too many websites rely on posts from outside sources... so I doubt that feature will ever be taken away.

I use it (with good intentions) on my site to scrape Amazon.com and eBay.

--Aaron

DOWNLOAD GREAT NEW MODS HERE
Go to Top of Page

Gremlin
General Help Moderator

New Zealand
7528 Posts

Posted - 19 May 2002 :  09:15:03  Show Profile  Visit Gremlin's Homepage
When your scraping data from another site, your using an HTTP GET, not an HTTP POST. I can't think of any good reason why a webserver should permit a POST from a foreign address.

www.daoc-halo.com



Edited by - Gremlin on 19 May 2002 09:17:30
Go to Top of Page

Doug G
Support Moderator

USA
6493 Posts

Posted - 19 May 2002 :  11:46:04  Show Profile
quote:

I was thinking of those methods, but I also recalled reading somewhere that IIS shouldnt/wouldnt/couldnt(?) allow a form to be posted from a page not from the same webservice ... maybe I was reading about a 'future' relase of IIS at the time.

All of the mentioned 'hacks' involve a page outside the webserver being attacked.

www.daoc-halo.com


I've never used xmlhttp across webs and seldom use the post feature. It makes sense to pevent posting from an outside address.


======
Doug G
======
Go to Top of Page

snaayk
Senior Member

USA
1061 Posts

Posted - 19 May 2002 :  12:04:49  Show Profile  Visit snaayk's Homepage  Send snaayk an AOL message  Send snaayk an ICQ Message  Send snaayk a Yahoo! Message
Is there a definitive way that we should be checking these passed vars.

Will the chkstring() work on everything? The functions looks all inclusive, but I want to make sure before I start recoding. On other words, SQLInjection should/could not happend if chkstring is used?

Go to Top of Page
Page: of 2 Previous Topic Topic Next Topic  
Next Page
 New Topic  Topic Locked
 Printer Friendly
Jump To:
Snitz Forums 2000 © 2000-2021 Snitz™ Communications Go To Top Of Page
This page was generated in 0.18 seconds. Powered By: Snitz Forums 2000 Version 3.4.07