Suspekt… » Blog Archive » MySQL and SQL Column Truncation Vulnerabilities

When user input is not checked for its length SQL Column Truncation Vulnerabilities can arise. “SQL Column Truncation Vulnerability” is the name I use to describe security problems arising from overlong input that is truncated during insertion in the database. By default MySQL will truncate strings longer than the defined maximum column width and only emit a warning. Those warnings are usually not seen by web applications and therefore not handled at all. In MySQL the sql_mode STRICT_ALL_TABLES can be activated to turn these warnings into errors but applications will run most of the time on servers that run in the default mode and even if an application uses the stricter sql_mode it should not produce this error in the first place. Therefore a length check is required.

To understand why the truncation on insert can lead to security problems imagine the following application.

* The application is a forum where new users can register

* The administrator’s name is known e.g. ‘admin’

* MySQL is used in the default mode

* There is no application restriction on the length of new user names

* The database column username is limited to 16 characters

read the rest of the article

MuWeb 0.8 Sql Injection

The other day I saw in search engine terms in my stats page (i usually look at it cause I’m trying to write posts according to what people look for when thrown over here) that someone came by searching for MuWeb 0.8 Sql Injection… for those I have a good news there is such a vulnerability… I as other people had to take some time to find out about it, because never took a look at the registration page… yep there it is situated in email input… why only there? Because there isn’t a email validation or string cleaning applied to it… (some patches clean the other strings but email not)… also the email input field had not a predefined length… yeah you can remove them, but they are trimmed in the php script…
—
‘;shutdown–
—
^^

JS Judo + XSS + CSRF = Pwnage

…an excellent breeding environment for an XSS worm…

What is an XSS worm?
Wikipedia

An XSS Worm, also known as a cross site scripting virus[1], is a malicious (or sometimes non-malicious) payload that propagates among visitors of a website in the attempt to progressively infect other visitors.

Sticking to KIS (keep it simple) standards it’s a piece of code that propagates…

JS Judo?
Reuse of JS code… JS Judo – JS Judo II…. targets for JS Judoing would be frameworks like Dojo, Prototype, Jquery, mooTools, etc…

XSS?
If you don’t know what xss is, you’re in the wrong place now…

CSRF?
Same as above… wrote a couple of articles about it somewhere around here…

Gluing the pieces together+
Getting the idea and all (as a startup article) Launching XSS CSRF Based Worms On Social Networks… Also Writing A Modular Universal XSS Worm may sound interesting… but if you’re the same as me making the code propagate and have a payload it’s more than enough…

KIS?
Keeping it simple… here is what the worm should do…
—
:phase 1
after load -> get list with friends
message them (all) a link that loads (via XSS) the worm
:phase 2
payload
—
in theory it’s very simple, but in when coding the code it’s essential to understand the site structure (to know what requests to make, and how to parse them)… also some times you’ll have to grab the anti csrf token… good luck… =)