Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 20 May 2014 16:07:02 +0200
From: Peter Bex <Peter.Bex@...all.nl>
To: Open Source Security <oss-security@...ts.openwall.com>
Subject: Incorrect SQL identifier quotation rampant among popular web frameworks

Hello all,

Recently I've discovered that many popular web frameworks perform
incorrect quotation of identifiers in their query builders, leading
to potential SQL injection bugs.  This includes Laravel, FuelPHP,
Lithium, CodeIgniter and CakePHP and probably many others.

In most cases, this is only exploitable if the programmer (framework
user) makes the (debatable) "mistake" of querying attacker-controlled
column names, but in Laravel's case even simple mass assignment exposes
this vulnerability, *even* if some fields are $guarded against being
mass-assigned.

Unfortunately, most framework authors seem to dismiss this issue as
purely a user problem and might not even bother fixing the issue or
adding extra safeguards to the framework to achieve defense in depth.
This attitude only contributes to the security crisis, IMHO.

For more information, see my blog post at my employer's research blog:
http://www.codeyellow.nl/identifier-sqli.html

I don't know whether any of these deserve CVE IDs, especially
considering the aforementioned attitude; authors believe this is not
a bug (even in the case of Laravel).

I don't have the time, knowledge and energy to investigate every single
framework in every single language, but I think it's a good idea if the
community at large took a closer look at this particular class of bugs.
So far, the only framework which seems to do it 100% correctly is Ruby
on Rails.  But I must confess I didn't look beyond PHP, Python and Ruby.

In Python, the situation is a little more complicated: Django uses bad
identifier quotation but I have been unable to create a PoC, as it
seems to perform whitelisting everywhere on field names.  This warrants
further investigation, IMHO.

Cheers,
Peter Bex
-- 
http://www.more-magic.net

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ