[TAG] "Lupper Worm" and the patching of bad software

Thu Nov 10 20:26:15 MSK 2005

On Wed, Nov 09, 2005 at 11:57:15AM -0800, Rick Moen wrote:
> I'm also slowly developing an (at least partial) allergy to Perl CGI
> scripts exposed to hostile networks, since it seems that few authors
> bother doing meaningful input validation. The security history of
> AWstats is instructive:  The authors keep releasing patches to fix "new"
> vulnerabilities, but none of those patches has ever addressed the root
> problem of bad design.  Therefore, the patches are ultimately
> ineffective.  As the computer said in "War Games", the only way to win
> is not to play.

I feel that one should be wary of PHP as well. It just blows my mind how
much code out there looks like:

``
$sql_query = "SELECT * FROM foobar WHERE column = '$unvalidated_input'";
''

...which allows a trivally easy SQL injection attack. I've even seen
stuff like that as example code in PHP books.

If you're coding in C, there's *no* excuse for using gets(), sprintf(),
vsprintf(), or any other function that doesn't do bounds checking. If
you're coding in PHP, there's *no* excuse for not quoting *every*
varible that you use in a SQL query. 

*Any* time you pass data to something that has quoting rules, be it
system(), eval() or a SQL server, make sure your string is well-formed,
no matter what your input is.

For system(), first be sure that you need to use it. There might be some
easier way to do what you want in-language. I don't know about other
languages, but in Ruby and Perl, if you pass one argument, the argument
is passed to the shell, but if you pass more than one, it will do a
fork() and exec() for you without going through the shell. So, in Ruby,

``
system("some_command '#{foobar}'")
''

is not good, because foobar could contain single quotes. You should do:

``
system("some_command", foobar)
''

...which will pass foobar exactly as it is as the first arguemnt to
"some_command". Of course, "some_command" should be able to handle
arbitrary input as well, otherwise you're still hosed.

For eval(), just don't. No, really, eval() is almost always wrong. You
think you found the case where eval() is a good idea? You're almost
certainly wrong. You're sure it's a good idea? You're still wrong.
You're going to do it anyway? Okay, but don't come crying to me. eval()
is a "code smell": http://c2.com/cgi/wiki?CodeSmell

For SQL queries, use whatever quoting your SQL interface library has
provided. Most of them have some printf() like method of inserting
varibles into the query, like so:

``
sql_query_function("SELECT * FROM foobar WHERE column = ?", foobar)
''

Read your docs, figure out how your library can do that, and use it.

Never use string interpolation for anything with quoting rules (eval(),
system(), SQL, etc.) unless you're absolutely sure that you've quoted it
correctly. Not quite sure? Don't.

Jason Creighton