Page 1 of 1

[Security Question] XSRF possible in this page?

Posted: Thu May 05, 2011 2:54 pm
by Aristona
Hi,

Let me tell you the page first.
http://www.celik-ticaret.net/?page=projects (A trash website I use to test my codes)

As you can see, it contains a form with an option like:

Code: Select all

<select name="year">                       
                            <option value="1">Any year</option>
                            <option value="2000">2000</option>
                            <option value="2001">2001</option>
                            ...
</select>

<select name="city">                       
                            <option value="any">Any city</option>
                            <option value="cityA">City A</option>
                            <option value="cityB">City B</option>
                            ...
</select>[
Basicly, users are generating a SQL query here. Such as:

Code: Select all

function clrInput () 
{ 
 //SQL Injection preventation
}

$city = clrInput($_POST['city']);
$year = intval(clrInput($_POST['year']);

/* NO OTHER CONTROLS HERE --- THAT'S WHAT I AM ASKING */

//Prepare our query -- Looks very vulnerable!
query(SELECT * FROM TABLE_NAME 
WHERE City = $city AND
           Year = $year);
Okay. All is good so far and it's working properly, but what about if I edit my form like:

Code: Select all

<select name="city">                       
                            <option value="UNION DROP TABLE TABLE_NAME">Any year</option>
</select>
Then the query will be like:

Code: Select all

SELECT * FROM TABLE_NAME
WHERE City = NULL
UNION
DROP TABLE TABLE_NAME
and table will be dropped. (SQL query may be wrong, but you got the idea.)

What kind of protections should I do on such pages? Doublecheck every option input in an array and die if it doesn't match?

Open for ideas.

Re: [Security Question] XSRF possible in this page?

Posted: Thu May 05, 2011 3:53 pm
by incubi
Hi Aristona,

SQL Injection isn't my strong suit but I do know you need to validate the data so in your example make sure "city" is truly the name of a city.

http://www.learnphponline.com/security/ ... -mysql-php


Lee

Re: [Security Question] XSRF possible in this page?

Posted: Thu May 05, 2011 4:38 pm
by Aristona
incubi wrote:Hi Aristona,

SQL Injection isn't my strong suit but I do know you need to validate the data so in your example make sure "city" is truly the name of a city.

http://www.learnphponline.com/security/ ... -mysql-php


Lee
Hi,

Thanks for your reply.

I am not sure if it's SQL Injection. I usually manage to get SQL Injection issue solved with php functions, but this one doesn't contain any special characters like ' or ;.
It looks like a different way for me. I am not sure what was it called as. (Referred to XSRF since we abuse a different form. Could be entirely something different.)

Yes, double checking is something I mentioned. Something like:

Code: Select all

$allowedCities = array ('City1, 'City2', 'City3');
if $_POST['city'] doesn't exist in $allowedCities array, die, else, continue
would solve the issue. Then again, it would require me to make my form.tpl dynamic, which means it should get option values from PHP file dynamically.
It would lower website performance I believe. I am trying to minimise PHP parsing for maximum efficiency.

Any other ideas about solving the issue?

Re: [Security Question] XSRF possible in this page?

Posted: Thu May 05, 2011 5:00 pm
by incubi
If you "edited your page" :) with the drop query perhaps it just injection but as for cross site issues the only thing I know is to test where the request came from maybe with $_SESSION['HTTP_REFERER']).

Also you should use post as much as you can and be sure to do session timeouts.

That's about all I know on it. :)


Lee

Re: [Security Question] XSRF possible in this page?

Posted: Sun May 08, 2011 5:57 am
by Aristona
Thanks Lee. :)

I am also looking for more information about this issue, if possible.

Re: [Security Question] XSRF possible in this page?

Posted: Mon May 09, 2011 7:27 am
by Aristona
Bumpidy bump.

Re: [Security Question] XSRF possible in this page?

Posted: Mon May 09, 2011 11:57 am
by tr0gd0rr
A rule of thumb is to always use prepared queries or call mysql_real_escape_string() on every string that gets put into a query (if you are using MySQL). Using that function diligently will prevent SQL injection.

Re: [Security Question] XSRF possible in this page?

Posted: Mon May 09, 2011 12:14 pm
by Aristona
I am already sanitizing all inputs to prevent SQL Injection, but this one sounds a little different to me.

The thing I ask is something different. If they change the values on the form (e.g New York -> UNION DROP TABLE TABLE_NAME) (Notice no magical characters being used.) it will get passed by sanitize function.
Also, ' and SPACE should be allowed. There is no much use of mysql_real_escape_string() here.

Re: [Security Question] XSRF possible in this page?

Posted: Mon May 09, 2011 1:45 pm
by tr0gd0rr
It won't get passed the sanitize function if the value is enclosed by quotes:

SELECT * FROM TABLE_NAME WHERE City = 'NULL UNION DROP TABLE TABLE_NAME'

You must use quotes.

Re: [Security Question] XSRF possible in this page?

Posted: Tue May 10, 2011 10:12 am
by flying_circus
tr0gd0rr wrote:You must use quotes.
Quoting this for emphasis!


My question to the OP would be, what if you were using your database to store code examples (like this website does)? NULL UNION DROP TABLE TABLE_NAME would be perfectly valid data.

Do as Tr0gd0rr says, use quotes and escape your data. Prepared statements will also work well.