On Mon, Apr 21, 2008 at 12:21 PM, Eli Shemer
> Problem is,
>
> When DBI "Taint" is on, the page is completely stuck and I cannot find any
> errors or warning in the error_log.
Can you be a little more descriptive? What does "stuck" mean in this case?
- Perrin
On Mon, Apr 21, 2008 at 12:27 PM, Eli Shemer
> Stuck meaning that I cannot logon to my web site at all.
> I have to close the explorer and open it again.
Ok, you need to do some debugging. First I'd try connecting with
telnet or a command-line browser like lwp-request so you can see how
far it's getting. You also need to put some warn statements in or use
the debugger to find out what line it stops executing on.
- Perrin
On Mon, Apr 21, 2008 at 12:45 PM, Eli Shemer
> It's stuck on "Waiting for... " in the status bar
Step away from the browser. If you've never learned how to debug a
web request with telnet or lwp-request, this is a good time to learn.
Just google "telnet 80 debugging" or something similar to find some
guides to get you started.
- Perrin
Perrin Harkins wrote:
> On Mon, Apr 21, 2008 at 12:45 PM, Eli Shemer
>> It's stuck on "Waiting for... " in the status bar
>
> Step away from the browser. If you've never learned how to debug a
> web request with telnet or lwp-request, this is a good time to learn.
> Just google "telnet 80 debugging" or something similar to find some
> guides to get you started.
:) netcat is actually more useful than telnet, it's quite a bit more
scriptable. lwp-request and netcat are the only tools I use unless I
really can't shoehorn netcat onto someone else's box.
This is a multipart message in MIME format.
--Boundary_(ID_FkXtoXjOjd1kukBSH7gISQ)
Content-type: text/plain; charset=windows-1250
Content-transfer-encoding: quoted-printable
Hey there
=20
I=92m looking for more information on this subject.
I=92m using mod_perl2 and apache2
=20
Currently what I=92m trying to do is to make both the page and the DBI =
module
tainted-enabled
=20
I have =96t enabled in httpd.conf
And {Taint =3D> 1} upon the DBI connection call.
=20
I=92ve made modifications to a test case page,which was a perfect =
replicate,of
a real =93commercial=94 page.
so now supposedly all $apr->param() parameters are no longer tainted =
after
numereious regexp equations and a temporary hash table that holds all =
data.
=20
Problem is,
When DBI =93Taint=94 is on, the page is completely stuck and I cannot =
find any
errors or warning in the error_log.
=20
Any recommendations / different techniques ?
=20
Thanks.
No virus found in this outgoing message.
Checked by AVG.=20
Version: 7.5.524 / Virus Database: 269.23.2/1387 - Release Date: =
19/04/2008
11:31
=20
--Boundary_(ID_FkXtoXjOjd1kukBSH7gISQ)
Content-type: text/html; charset=windows-1250
Content-transfer-encoding: 7BIT
Hey there
I’m looking for more information on this subject.
I’m using mod_perl2 and apache2
Currently what I’m trying to do is to make both the page
and the DBI module tainted-enabled
I have –t enabled in httpd.conf
And {Taint => 1} upon the DBI connection call.
I’ve made modifications to a test case page,which was
a perfect replicate,of a real “commercial” page.
so now supposedly all $apr->param() parameters are no
longer tainted after numereious regexp equations and a temporary hash table
that holds all data.
Problem is,
When DBI “Taint” is on, the page is completely
stuck and I cannot find any errors or warning in the error_log.
Any recommendations / different techniques ?
Thanks.
No virus found in this outgoing message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.23.2/1387 - Release Date: 19/04/2008 11:31
Stuck meaning that I cannot logon to my web site at all.
I have to close the explorer and open it again.
It's as if the web server recognized me as a malicious user and blocked me
out
-----Original Message-----
From: pharkins@gmail.com [mailto:pharkins@gmail.com] On Behalf Of Perrin
Harkins
Sent: Monday, April 21, 2008 5:24 PM
To: Eli Shemer
Cc: modperl@perl.apache.org
Subject: Re: parameters taintness
On Mon, Apr 21, 2008 at 12:21 PM, Eli Shemer
> Problem is,
>
> When DBI "Taint" is on, the page is completely stuck and I cannot find any
> errors or warning in the error_log.
Can you be a little more descriptive? What does "stuck" mean in this case?
- Perrin
No virus found in this incoming message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.23.2/1387 - Release Date: 19/04/2008
11:31
No virus found in this outgoing message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.23.2/1387 - Release Date: 19/04/2008
11:31
It's stuck on "Waiting for... " in the status bar
-----Original Message-----
From: pharkins@gmail.com [mailto:pharkins@gmail.com] On Behalf Of Perrin
Harkins
Sent: Monday, April 21, 2008 5:24 PM
To: Eli Shemer
Cc: modperl@perl.apache.org
Subject: Re: parameters taintness
On Mon, Apr 21, 2008 at 12:21 PM, Eli Shemer
> Problem is,
>
> When DBI "Taint" is on, the page is completely stuck and I cannot find any
> errors or warning in the error_log.
Can you be a little more descriptive? What does "stuck" mean in this case?
- Perrin
No virus found in this incoming message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.23.2/1387 - Release Date: 19/04/2008
11:31
No virus found in this outgoing message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.23.2/1387 - Release Date: 19/04/2008
11:31
------=_Part_4622_23414653.1208798245588
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
On Mon, Apr 21, 2008 at 1:02 PM, Eli Shemer
> Using telnet/netcase is nice but it will be a nightmare to write a
> debugger
> script that will simulate all of the operations up to that point. (login,
> submission of data to the page)
http://search.cpan.org/author/PETDANCE/WWW-Mechanize-1.34/li b/WWW/Mechanize/FAQ.pod
------=_Part_4622_23414653.1208798245588
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
On Mon, Apr 21, 2008 at 1:02 PM, Eli Shemer <> wrote:
Using telnet/netcase is nice but it will be a nightmare to write a debugger
script that will simulate all of the operations up to that point. (login,
submission of data to the page)
------=_Part_4622_23414653.1208798245588--
On Mon, Apr 21, 2008 at 2:02 PM, Eli Shemer
> Well, for now I've diagnosed it to crook due to the cookies/session
> operation.
> Because once I remove the cookie from my browser, everything works
> correctly.
Ok, but you need to find what line in your code is having the problem
if you want help fixing it.
> I really would like to get DBI to scream out when it finds a tainted
> variable,
> not hold the entire operation and withhold any further information.
It would. It's not clear from what you've said so far that your
problem is related to DBI or to tainting.
> Using telnet/netcase is nice but it will be a nightmare to write a debugger
> script that will simulate all of the operations up to that point. (login,
> submission of data to the page)
Then use a logging proxy that will let you see the actual data going
back and forth.
- Perrin
Well, for now I've diagnosed it to crook due to the cookies/session
operation.
Because once I remove the cookie from my browser, everything works
correctly.
(if I logged on to the suspicious page just before).
it seems reasonable in theory that DBI's Taintness operation finds the
session/cookie grabbing and setting as problematic and non-trust worthy.
Although it's not a GET/POST parameter but a simple %cookies = fetch
CGI::Cookie;
For general reference, these are the modules I have on the test page:
use strict;
use Apache::Session::MySQL;
use CGI::Cookie;
use Scalar::Util::Numeric qw(isnum);
use Apache2::Cookie;
use Apache2::Request;
use Apache2::Connection;
even if the DBI considers the cookie/session functions as tainted, and
indeed the page cannot be loaded.
why on earth will it continue to work like that in other pages?
It's as If I enter this page one time, since then all other pages are
Tainted-enabled also,
and I have to remove the cookie.
I really would like to get DBI to scream out when it finds a tainted
variable,
not hold the entire operation and withhold any further information.
Using telnet/netcase is nice but it will be a nightmare to write a debugger
script that will simulate all of the operations up to that point. (login,
submission of data to the page)
-----Original Message-----
From: pharkins@gmail.com [mailto:pharkins@gmail.com] On Behalf Of Perrin
Harkins
Sent: Monday, April 21, 2008 5:54 PM
To: Eli Shemer
Cc: modperl@perl.apache.org
Subject: Re: parameters taintness
On Mon, Apr 21, 2008 at 12:45 PM, Eli Shemer
> It's stuck on "Waiting for... " in the status bar
Step away from the browser. If you've never learned how to debug a
web request with telnet or lwp-request, this is a good time to learn.
Just google "telnet 80 debugging" or something similar to find some
guides to get you started.
- Perrin
No virus found in this incoming message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.23.2/1387 - Release Date: 19/04/2008
11:31
No virus found in this outgoing message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.23.2/1387 - Release Date: 19/04/2008
11:31
On Mon, Apr 21, 2008 at 2:53 PM, Eli Shemer
> I summed it down to this line of code
>
> my $id = $cookies{ANONYMOUS_ID}->value;
> if ($id =~ m/(.+)/) { $id=$1; }
>
> tie %session, 'Apache::Session::MySQL', $id,
> {
> Handle => $dbh,
> LockHandle => $dbh
> };
You need to wrap that tie call in an eval, as shown in the
Apache::Session documentation. If it hangs rather than just failing,
the problem most likely has to do with the locking behavior.
- Perrin
I summed it down to this line of code
my $id = $cookies{ANONYMOUS_ID}->value;
if ($id =~ m/(.+)/) { $id=$1; }
tie %session, 'Apache::Session::MySQL', $id,
{
Handle => $dbh,
LockHandle => $dbh
};
%session is empty at this point, $dbh is a reference to the database
And $id was double checked.
Note that when I remove the TaintIn parameter in the DBI->connect, the page
works with the above code.
-----Original Message-----
From: pharkins@gmail.com [mailto:pharkins@gmail.com] On Behalf Of Perrin
Harkins
Sent: Monday, April 21, 2008 7:36 PM
To: Eli Shemer
Cc: modperl@perl.apache.org
Subject: Re: parameters taintness
On Mon, Apr 21, 2008 at 2:02 PM, Eli Shemer
> Well, for now I've diagnosed it to crook due to the cookies/session
> operation.
> Because once I remove the cookie from my browser, everything works
> correctly.
Ok, but you need to find what line in your code is having the problem
if you want help fixing it.
> I really would like to get DBI to scream out when it finds a tainted
> variable,
> not hold the entire operation and withhold any further information.
It would. It's not clear from what you've said so far that your
problem is related to DBI or to tainting.
> Using telnet/netcase is nice but it will be a nightmare to write a
debugger
> script that will simulate all of the operations up to that point. (login,
> submission of data to the page)
Then use a logging proxy that will let you see the actual data going
back and forth.
- Perrin
No virus found in this incoming message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.23.2/1387 - Release Date: 19/04/2008
11:31
No virus found in this outgoing message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.23.2/1387 - Release Date: 19/04/2008
11:31
$dbh =3D DBI->connect("DBI:mysql:[bla]:localhost","[bla]","[bla]",{Ta int =
=3D>
0}) =20
or die "Cannot connect to database: $DBI::errstr";
doesn=92t work
I'm starting to suspect some weird DBI bug.
Works:
$dbh =3D DBI->connect("DBI:mysql:[bla]:localhost","[bla]","[bla]") =20
or die "Cannot connect to database: $DBI::errstr";
-----Original Message-----
From: pharkins@gmail.com [mailto:pharkins@gmail.com] On Behalf Of Perrin
Harkins
Sent: Monday, April 21, 2008 7:36 PM
To: Eli Shemer
Cc: modperl@perl.apache.org
Subject: Re: parameters taintness
On Mon, Apr 21, 2008 at 2:02 PM, Eli Shemer
wrote:
> Well, for now I've diagnosed it to crook due to the cookies/session
> operation.
> Because once I remove the cookie from my browser, everything works
> correctly.
Ok, but you need to find what line in your code is having the problem
if you want help fixing it.
> I really would like to get DBI to scream out when it finds a tainted
> variable,
> not hold the entire operation and withhold any further information.
It would. It's not clear from what you've said so far that your
problem is related to DBI or to tainting.
> Using telnet/netcase is nice but it will be a nightmare to write a
debugger
> script that will simulate all of the operations up to that point. =
(login,
> submission of data to the page)
Then use a logging proxy that will let you see the actual data going
back and forth.
- Perrin
No virus found in this incoming message.
Checked by AVG.=20
Version: 7.5.524 / Virus Database: 269.23.2/1387 - Release Date: =
19/04/2008
11:31
=20
No virus found in this outgoing message.
Checked by AVG.=20
Version: 7.5.524 / Virus Database: 269.23.2/1387 - Release Date: =
19/04/2008
11:31
=20
eval{
tie %session, 'Apache::Session::MySQL', $id,
{
Handle => $dbh,
LockHandle => $dbh
};
}
Same behavior as I previously mentioned when the Tainted is enabled in
DBI->Connect
-----Original Message-----
From: pharkins@gmail.com [mailto:pharkins@gmail.com] On Behalf Of Perrin
Harkins
Sent: Monday, April 21, 2008 8:13 PM
To: Eli Shemer
Cc: modperl@perl.apache.org
Subject: Re: parameters taintness
On Mon, Apr 21, 2008 at 2:53 PM, Eli Shemer
> I summed it down to this line of code
>
> my $id = $cookies{ANONYMOUS_ID}->value;
> if ($id =~ m/(.+)/) { $id=$1; }
>
> tie %session, 'Apache::Session::MySQL', $id,
> {
> Handle => $dbh,
> LockHandle => $dbh
> };
You need to wrap that tie call in an eval, as shown in the
Apache::Session documentation. If it hangs rather than just failing,
the problem most likely has to do with the locking behavior.
- Perrin
No virus found in this incoming message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.23.2/1387 - Release Date: 19/04/2008
11:31
No virus found in this outgoing message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.23.2/1387 - Release Date: 19/04/2008
11:31
On Mon, Apr 21, 2008 at 3:48 PM, Eli Shemer
> eval{
>
> tie %session, 'Apache::Session::MySQL', $id,
> {
> Handle => $dbh,
> LockHandle => $dbh
> };
> }
>
> Same behavior as I previously mentioned when the Tainted is enabled in
> DBI->Connect
I think you should try writing a command-line script using DBI and see
if you get the same behavior.
- Perrin
Well,
Indeed it probably got stuck every time due to the locking issue but =
that
doesn=92t matter really.
What I actually wanted was for a mechanism to alert me when my variables =
are
not safe enough to work with but I could not do that.
I never got any warning in the error_log and I still don=92t know how to =
get
DBI to do that.
But regardless, I've stress checked my variables since, manually, and =
I've
used sql injection tools that try to penetrate to sites. Namely, my own.
-----Original Message-----
From: pharkins@gmail.com [mailto:pharkins@gmail.com] On Behalf Of Perrin
Harkins
Sent: Tuesday, April 22, 2008 9:40 PM
To: Eli Shemer
Cc: modperl@perl.apache.org
Subject: Re: parameters taintness
On Mon, Apr 21, 2008 at 3:48 PM, Eli Shemer
wrote:
> eval{
>
> tie %session, 'Apache::Session::MySQL', $id,
> {
> Handle =3D> $dbh,
> LockHandle =3D> $dbh
> };
> }
>
> Same behavior as I previously mentioned when the Tainted is enabled =
in
> DBI->Connect
I think you should try writing a command-line script using DBI and see
if you get the same behavior.
- Perrin
No virus found in this incoming message.
Checked by AVG.=20
Version: 7.5.524 / Virus Database: 269.23.3/1390 - Release Date: =
21/04/2008
16:23
=20
No virus found in this outgoing message.
Checked by AVG.=20
Version: 7.5.524 / Virus Database: 269.23.3/1390 - Release Date: =
21/04/2008
16:23
=20