| Author |
 Topic  |
|
Aaron S.
Average Member
USA
985 Posts |
 Posted - 17 May 2002 : 09:20:02
|
All developers and especially MOD authors... please check your code to make sure you don't have the same members.asp bug.
This could affect anyone who uses the querystring to pass variables around.
Davio fixed the Email Validation MOD, but I suspect there are many MODs that are still left vunerable.
I am going to go thru the MODs on my site today, and I will post the results later on.
--Aaron
DOWNLOAD GREAT NEW MODS HERE |
|
|
Davio
Development Team Member
Jamaica
12217 Posts |
Posted - 17 May 2002 : 14:13:58
|
I actually found it in the 3.4 version by accident. 
Basically if you pass variables or use variables taken from the URL, and enter them in a SQL Query, make sure you are passing it through the ChkString() function.
Be careful how you also use the Request function. If you are getting a value from the url avoid using Request("var") and use Request.QueryString("var") instead. Same goes if you are getting a value from the cookie or a form field. If you have to use Request("var") then make sure you check the value that is being passed.
That's just some of my own tips.
«------------------------------------------------------»
Want to know when the next version comes out,
as soon as possible? Join our Mailing Lists ! |
 |
|
|
Steve D.
Average Member
USA
640 Posts |
Posted - 17 May 2002 : 15:35:27
|
Thanks, thoser are good tips, that don't cause that much extra work either!
----------------------------------------
Badges? We don't need no stinking badges |
|
|
|
Gremlin
General Help Moderator
New Zealand
7528 Posts |
Posted - 17 May 2002 : 19:41:21
|
The Request tip is a good one for two reasons, not only does it prevent form data being able to be manipulated via URL querystrings, but its also fractionally faster if you specifiy Request.Form or Request.Querystring directly, else the server has to go and check all Request types to try and find a match for that variable.
www.daoc-halo.com |
|
|
|
HuwR
Forum Admin
United Kingdom
20584 Posts |
Posted - 18 May 2002 : 03:58:21
|
quote:
The Request tip is a good one for two reasons, not only does it prevent form data being able to be manipulated via URL querystrings, but its also fractionally faster if you specifiy Request.Form or Request.Querystring directly, else the server has to go and check all Request types to try and find a match for that variable.
www.daoc-halo.com
Yes but not always posible if you are passing data which could have been sent by the form or a URL, but as long as you don't just stick it in your query it doesn't matter it is just as easy to fake a form post as it is to fake a URL
|
|
|
|
Gremlin
General Help Moderator
New Zealand
7528 Posts |
Posted - 18 May 2002 : 18:40:41
|
quote:
easy to fake a form post as it is to fake a URL
Not really, the average joe wouldn't know how to fake a POST becuase you can't just do it via the browser.
The only way I know of faking a form POST is via telnet.
www.daoc-halo.com |
|
|
|
Aaron S.
Average Member
USA
985 Posts |
Posted - 18 May 2002 : 18:49:03
|
You can using HTML or XML.
I have some code that check to see if the URL is from my domain (i.e. all posts came from my site)... if not it redirects to the homepage.
--Aaron
DOWNLOAD GREAT NEW MODS HERE |
|
|
|
Gremlin
General Help Moderator
New Zealand
7528 Posts |
Posted - 18 May 2002 : 19:23:04
|
Can you post a link or email me info on how its done via HTML, I know one way but thats as big of a PITA as via Telnet, but maybe theres another way I've not thought of or come accross ?
www.daoc-halo.com |
|
|
|
Nathan
Help Moderator
USA
7664 Posts |
Posted - 18 May 2002 : 23:46:02
|
quote:
quote:
easy to fake a form post as it is to fake a URL
Not really, the average joe wouldn't know how to fake a POST becuase you can't just do it via the browser.
Its easier than pie Gremlin.
 Nathan Bales
Snitz Exchange | Do's and Dont's |
|
|
|
Doug G
Support Moderator
USA
6493 Posts |
Posted - 18 May 2002 : 23:50:59
|
For IE it takes just a few lines in a script using xmlhttp
..
var objXMLReq = new ActiveXObject( "Microsoft.XMLHTTP" );
objXMLReq.open( "POST", frmQuery.action, false );
objXMLReq.send( strRequest );
...
======
Doug G
====== |
|
|
|
acemi
Starting Member
16 Posts |
Posted - 19 May 2002 : 05:32:08
|
quote:
Basically if you pass variables or use variables taken from the URL, and enter them in a SQL Query, make sure you are passing it through the ChkString() function.
Passing variable through ChkString() function isn't enough, it must also be checked for the type. For example, ChkString() function can't prevent to inject SQL query, if the variable is numeric or boolean etc.
And we need this check for all data which come from the client side (for request.querystring, request.form, cookies. Also for the data come from the database or session variable if they take from client and are used for SQL query)
I think that something like the following will be better:
const DEFAULT_LNGVAR = 0
const DEFAULT_STRVAR = ""
if ChkType(request("lngVar"), "long") then
lngVar = request("lngVar")
else
lngVar = DEFAULT_LNGVAR
end if
if ChkType(request("strVar"), "string") then
strVar = request("strVar")
else
strVar = DEFAULT_STRVAR
end if
...
...
strSQL = "SELECT * " & _
"FROM TableName " & _
"WHERE lngField = " & clng(lngVar) " " & _
"AND strField = '" & ChkString(strVar,"SQLString") & "';"
|
|
|
|
Gremlin
General Help Moderator
New Zealand
7528 Posts |
Posted - 19 May 2002 : 05:37:53
|
I was thinking of those methods, but I also recalled reading somewhere that IIS shouldnt/wouldnt/couldnt(?) allow a form to be posted from a page not from the same webservice ... maybe I was reading about a 'future' relase of IIS at the time.
All of the mentioned 'hacks' involve a page outside the webserver being attacked.
www.daoc-halo.com |
|
|
|
Aaron S.
Average Member
USA
985 Posts |
Posted - 19 May 2002 : 09:03:36
|
You are right... they must be from outside the webserver.
Too many websites rely on posts from outside sources... so I doubt that feature will ever be taken away.
I use it (with good intentions) on my site to scrape Amazon.com and eBay.
--Aaron
DOWNLOAD GREAT NEW MODS HERE |
|
|
|
Gremlin
General Help Moderator
New Zealand
7528 Posts |
Posted - 19 May 2002 : 09:15:03
|
When your scraping data from another site, your using an HTTP GET, not an HTTP POST. I can't think of any good reason why a webserver should permit a POST from a foreign address.
www.daoc-halo.com
Edited by - Gremlin on 19 May 2002 09:17:30 |
|
|
|
Doug G
Support Moderator
USA
6493 Posts |
Posted - 19 May 2002 : 11:46:04
|
quote:
I was thinking of those methods, but I also recalled reading somewhere that IIS shouldnt/wouldnt/couldnt(?) allow a form to be posted from a page not from the same webservice ... maybe I was reading about a 'future' relase of IIS at the time.
All of the mentioned 'hacks' involve a page outside the webserver being attacked.
www.daoc-halo.com
I've never used xmlhttp across webs and seldom use the post feature. It makes sense to pevent posting from an outside address.
======
Doug G
====== |
|
|
|
snaayk
Senior Member
USA
1061 Posts |
Posted - 19 May 2002 : 12:04:49
|
Is there a definitive way that we should be checking these passed vars.
Will the chkstring() work on everything? The functions looks all inclusive, but I want to make sure before I start recoding. On other words, SQLInjection should/could not happend if chkstring is used?
|
|
|
|
Topic |
|
Topic Locked
