Menu
▾
▴
[SM-DEVEL] Security Bug report: flat2sql.pl - nothing is escaped
|
From: Daniel W. <d...@ni...> - 2005-11-24 15:00:33
|
Thomas - You invited feedback about this on the devel list so here is some: This referrs to the perl script that creates sql statements to migrate the contents of the data_dir into a database. For download at: http://cvs.sf.net/viewcvs.py/squirrelmail/squirrelmail/contrib/flat2sql.pl ============== REPORT FOLLOWS ============== INPUT Addressbook file example: doddy|paddy|o'sullivan|da...@as...|/// hacker \\\'); drop TABLE mytable; ' OUTPUT sql: INSERT INTO webmail.address (owner,nickname,firstname,lastname,email,label) VALUES ('da...@my...','doddy','paddy' ,'o'sullivan','da...@as...','/// hacker \\\'); DROP TABLE mytable; ''); A few problems: 1. As you can see "o'sullivan" causes problems. The script should (equivalent of) [php]addslasshes() the input. 2. The slashes are not escaped - same problem as #1. 3. Most importantly - Semi-colons are not dealt with opening up sql injection attacks. This example would drop a table from the database. It would throw an error about the sql command "'')" but it would still run the drop command. Unlikely that a user would have such a timebomb waiting for you but it makes sence to make sure we're safe. HTH, Daniel |