Re: parameters taintness

Re: parameters taintness

am 21.04.2008 17:24:11 von Perrin Harkins

On Mon, Apr 21, 2008 at 12:21 PM, Eli Shemer wrote:
> Problem is,
>
> When DBI "Taint" is on, the page is completely stuck and I cannot find any
> errors or warning in the error_log.

Can you be a little more descriptive? What does "stuck" mean in this case?

- Perrin

Re: parameters taintness

am 21.04.2008 17:43:15 von Perrin Harkins

On Mon, Apr 21, 2008 at 12:27 PM, Eli Shemer wrote:
> Stuck meaning that I cannot logon to my web site at all.
> I have to close the explorer and open it again.

Ok, you need to do some debugging. First I'd try connecting with
telnet or a command-line browser like lwp-request so you can see how
far it's getting. You also need to put some warn statements in or use
the debugger to find out what line it stops executing on.

- Perrin

Re: parameters taintness

am 21.04.2008 17:53:58 von Perrin Harkins

On Mon, Apr 21, 2008 at 12:45 PM, Eli Shemer wrote:
> It's stuck on "Waiting for... " in the status bar

Step away from the browser. If you've never learned how to debug a
web request with telnet or lwp-request, this is a good time to learn.
Just google "telnet 80 debugging" or something similar to find some
guides to get you started.

- Perrin

Re: parameters taintness

am 21.04.2008 18:04:54 von wrowe

Perrin Harkins wrote:
> On Mon, Apr 21, 2008 at 12:45 PM, Eli Shemer wrote:
>> It's stuck on "Waiting for... " in the status bar
>
> Step away from the browser. If you've never learned how to debug a
> web request with telnet or lwp-request, this is a good time to learn.
> Just google "telnet 80 debugging" or something similar to find some
> guides to get you started.

:) netcat is actually more useful than telnet, it's quite a bit more
scriptable. lwp-request and netcat are the only tools I use unless I
really can't shoehorn netcat onto someone else's box.

parameters taintness

am 21.04.2008 18:21:06 von Eli Shemer

This is a multipart message in MIME format.

--Boundary_(ID_FkXtoXjOjd1kukBSH7gISQ)
Content-type: text/plain; charset=windows-1250
Content-transfer-encoding: quoted-printable

Hey there

=20

I=92m looking for more information on this subject.

I=92m using mod_perl2 and apache2

=20

Currently what I=92m trying to do is to make both the page and the DBI =
module
tainted-enabled

=20

I have =96t enabled in httpd.conf

And {Taint =3D> 1} upon the DBI connection call.

=20

I=92ve made modifications to a test case page,which was a perfect =
replicate,of
a real =93commercial=94 page.

so now supposedly all $apr->param() parameters are no longer tainted =
after
numereious regexp equations and a temporary hash table that holds all =
data.

=20

Problem is,

When DBI =93Taint=94 is on, the page is completely stuck and I cannot =
find any
errors or warning in the error_log.

=20

Any recommendations / different techniques ?

=20

Thanks.


No virus found in this outgoing message.
Checked by AVG.=20
Version: 7.5.524 / Virus Database: 269.23.2/1387 - Release Date: =
19/04/2008
11:31
=20

--Boundary_(ID_FkXtoXjOjd1kukBSH7gISQ)
Content-type: text/html; charset=windows-1250
Content-transfer-encoding: 7BIT
















Hey there



 



I’m looking for more information on this subject.



I’m using mod_perl2 and apache2



 



Currently what I’m trying to do is to make both the page
and the DBI module tainted-enabled



 



I have –t enabled in httpd.conf



And {Taint => 1} upon the DBI connection call.



 



I’ve made modifications to a test case page,which was
a perfect replicate,of a real “commercial” page.



so now supposedly all $apr->param() parameters are no
longer tainted after numereious regexp equations and a temporary hash table
that holds all data.



 



Problem is,



When DBI “Taint” is on, the page is completely
stuck and I cannot find any errors or warning in the error_log.



 



Any recommendations / different techniques ?



 



Thanks.











No virus found in this outgoing message.

Checked by AVG.

Version: 7.5.524 / Virus Database: 269.23.2/1387 - Release Date: 19/04/2008 11:31



--Boundary_(ID_FkXtoXjOjd1kukBSH7gISQ)--

RE: parameters taintness

am 21.04.2008 18:27:07 von Eli Shemer

Stuck meaning that I cannot logon to my web site at all.
I have to close the explorer and open it again.

It's as if the web server recognized me as a malicious user and blocked me
out


-----Original Message-----
From: pharkins@gmail.com [mailto:pharkins@gmail.com] On Behalf Of Perrin
Harkins
Sent: Monday, April 21, 2008 5:24 PM
To: Eli Shemer
Cc: modperl@perl.apache.org
Subject: Re: parameters taintness

On Mon, Apr 21, 2008 at 12:21 PM, Eli Shemer wrote:
> Problem is,
>
> When DBI "Taint" is on, the page is completely stuck and I cannot find any
> errors or warning in the error_log.

Can you be a little more descriptive? What does "stuck" mean in this case?

- Perrin

No virus found in this incoming message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.23.2/1387 - Release Date: 19/04/2008
11:31


No virus found in this outgoing message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.23.2/1387 - Release Date: 19/04/2008
11:31

RE: parameters taintness

am 21.04.2008 18:45:29 von Eli Shemer

It's stuck on "Waiting for... " in the status bar

-----Original Message-----
From: pharkins@gmail.com [mailto:pharkins@gmail.com] On Behalf Of Perrin
Harkins
Sent: Monday, April 21, 2008 5:24 PM
To: Eli Shemer
Cc: modperl@perl.apache.org
Subject: Re: parameters taintness

On Mon, Apr 21, 2008 at 12:21 PM, Eli Shemer wrote:
> Problem is,
>
> When DBI "Taint" is on, the page is completely stuck and I cannot find any
> errors or warning in the error_log.

Can you be a little more descriptive? What does "stuck" mean in this case?

- Perrin

No virus found in this incoming message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.23.2/1387 - Release Date: 19/04/2008
11:31


No virus found in this outgoing message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.23.2/1387 - Release Date: 19/04/2008
11:31

Re: parameters taintness

am 21.04.2008 19:17:24 von David Nicol

------=_Part_4622_23414653.1208798245588
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

On Mon, Apr 21, 2008 at 1:02 PM, Eli Shemer wrote:

> Using telnet/netcase is nice but it will be a nightmare to write a
> debugger
> script that will simulate all of the operations up to that point. (login,
> submission of data to the page)



http://search.cpan.org/author/PETDANCE/WWW-Mechanize-1.34/li b/WWW/Mechanize/FAQ.pod

------=_Part_4622_23414653.1208798245588
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


On Mon, Apr 21, 2008 at 1:02 PM, Eli Shemer <> wrote:


Using telnet/netcase is nice but it will be a nightmare to write a debugger

script that will simulate all of the operations up to that point. (login,

submission of data to the page)








------=_Part_4622_23414653.1208798245588--

Re: parameters taintness

am 21.04.2008 19:36:18 von Perrin Harkins

On Mon, Apr 21, 2008 at 2:02 PM, Eli Shemer wrote:
> Well, for now I've diagnosed it to crook due to the cookies/session
> operation.
> Because once I remove the cookie from my browser, everything works
> correctly.

Ok, but you need to find what line in your code is having the problem
if you want help fixing it.

> I really would like to get DBI to scream out when it finds a tainted
> variable,
> not hold the entire operation and withhold any further information.

It would. It's not clear from what you've said so far that your
problem is related to DBI or to tainting.

> Using telnet/netcase is nice but it will be a nightmare to write a debugger
> script that will simulate all of the operations up to that point. (login,
> submission of data to the page)

Then use a logging proxy that will let you see the actual data going
back and forth.

- Perrin

RE: parameters taintness

am 21.04.2008 20:02:35 von Eli Shemer

Well, for now I've diagnosed it to crook due to the cookies/session
operation.
Because once I remove the cookie from my browser, everything works
correctly.
(if I logged on to the suspicious page just before).

it seems reasonable in theory that DBI's Taintness operation finds the
session/cookie grabbing and setting as problematic and non-trust worthy.
Although it's not a GET/POST parameter but a simple %cookies = fetch
CGI::Cookie;

For general reference, these are the modules I have on the test page:
use strict;
use Apache::Session::MySQL;
use CGI::Cookie;
use Scalar::Util::Numeric qw(isnum);
use Apache2::Cookie;
use Apache2::Request;
use Apache2::Connection;

even if the DBI considers the cookie/session functions as tainted, and
indeed the page cannot be loaded.
why on earth will it continue to work like that in other pages?
It's as If I enter this page one time, since then all other pages are
Tainted-enabled also,
and I have to remove the cookie.

I really would like to get DBI to scream out when it finds a tainted
variable,
not hold the entire operation and withhold any further information.

Using telnet/netcase is nice but it will be a nightmare to write a debugger
script that will simulate all of the operations up to that point. (login,
submission of data to the page)

-----Original Message-----
From: pharkins@gmail.com [mailto:pharkins@gmail.com] On Behalf Of Perrin
Harkins
Sent: Monday, April 21, 2008 5:54 PM
To: Eli Shemer
Cc: modperl@perl.apache.org
Subject: Re: parameters taintness

On Mon, Apr 21, 2008 at 12:45 PM, Eli Shemer wrote:
> It's stuck on "Waiting for... " in the status bar

Step away from the browser. If you've never learned how to debug a
web request with telnet or lwp-request, this is a good time to learn.
Just google "telnet 80 debugging" or something similar to find some
guides to get you started.

- Perrin

No virus found in this incoming message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.23.2/1387 - Release Date: 19/04/2008
11:31


No virus found in this outgoing message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.23.2/1387 - Release Date: 19/04/2008
11:31

Re: parameters taintness

am 21.04.2008 20:12:47 von Perrin Harkins

On Mon, Apr 21, 2008 at 2:53 PM, Eli Shemer wrote:
> I summed it down to this line of code
>
> my $id = $cookies{ANONYMOUS_ID}->value;
> if ($id =~ m/(.+)/) { $id=$1; }
>
> tie %session, 'Apache::Session::MySQL', $id,
> {
> Handle => $dbh,
> LockHandle => $dbh
> };

You need to wrap that tie call in an eval, as shown in the
Apache::Session documentation. If it hangs rather than just failing,
the problem most likely has to do with the locking behavior.

- Perrin

RE: parameters taintness

am 21.04.2008 20:53:03 von Eli Shemer

I summed it down to this line of code

my $id = $cookies{ANONYMOUS_ID}->value;
if ($id =~ m/(.+)/) { $id=$1; }

tie %session, 'Apache::Session::MySQL', $id,
{
Handle => $dbh,
LockHandle => $dbh
};


%session is empty at this point, $dbh is a reference to the database
And $id was double checked.

Note that when I remove the TaintIn parameter in the DBI->connect, the page
works with the above code.


-----Original Message-----
From: pharkins@gmail.com [mailto:pharkins@gmail.com] On Behalf Of Perrin
Harkins
Sent: Monday, April 21, 2008 7:36 PM
To: Eli Shemer
Cc: modperl@perl.apache.org
Subject: Re: parameters taintness

On Mon, Apr 21, 2008 at 2:02 PM, Eli Shemer wrote:
> Well, for now I've diagnosed it to crook due to the cookies/session
> operation.
> Because once I remove the cookie from my browser, everything works
> correctly.

Ok, but you need to find what line in your code is having the problem
if you want help fixing it.

> I really would like to get DBI to scream out when it finds a tainted
> variable,
> not hold the entire operation and withhold any further information.

It would. It's not clear from what you've said so far that your
problem is related to DBI or to tainting.

> Using telnet/netcase is nice but it will be a nightmare to write a
debugger
> script that will simulate all of the operations up to that point. (login,
> submission of data to the page)

Then use a logging proxy that will let you see the actual data going
back and forth.

- Perrin

No virus found in this incoming message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.23.2/1387 - Release Date: 19/04/2008
11:31


No virus found in this outgoing message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.23.2/1387 - Release Date: 19/04/2008
11:31

RE: parameters taintness

am 21.04.2008 21:04:46 von Eli Shemer

$dbh =3D DBI->connect("DBI:mysql:[bla]:localhost","[bla]","[bla]",{Ta int =
=3D>
0}) =20
or die "Cannot connect to database: $DBI::errstr";

doesn=92t work
I'm starting to suspect some weird DBI bug.


Works:
$dbh =3D DBI->connect("DBI:mysql:[bla]:localhost","[bla]","[bla]") =20
or die "Cannot connect to database: $DBI::errstr";

-----Original Message-----
From: pharkins@gmail.com [mailto:pharkins@gmail.com] On Behalf Of Perrin
Harkins
Sent: Monday, April 21, 2008 7:36 PM
To: Eli Shemer
Cc: modperl@perl.apache.org
Subject: Re: parameters taintness

On Mon, Apr 21, 2008 at 2:02 PM, Eli Shemer =
wrote:
> Well, for now I've diagnosed it to crook due to the cookies/session
> operation.
> Because once I remove the cookie from my browser, everything works
> correctly.

Ok, but you need to find what line in your code is having the problem
if you want help fixing it.

> I really would like to get DBI to scream out when it finds a tainted
> variable,
> not hold the entire operation and withhold any further information.

It would. It's not clear from what you've said so far that your
problem is related to DBI or to tainting.

> Using telnet/netcase is nice but it will be a nightmare to write a
debugger
> script that will simulate all of the operations up to that point. =
(login,
> submission of data to the page)

Then use a logging proxy that will let you see the actual data going
back and forth.

- Perrin

No virus found in this incoming message.
Checked by AVG.=20
Version: 7.5.524 / Virus Database: 269.23.2/1387 - Release Date: =
19/04/2008
11:31
=20

No virus found in this outgoing message.
Checked by AVG.=20
Version: 7.5.524 / Virus Database: 269.23.2/1387 - Release Date: =
19/04/2008
11:31
=20

RE: parameters taintness

am 21.04.2008 21:48:24 von Eli Shemer

eval{
tie %session, 'Apache::Session::MySQL', $id,
{
Handle => $dbh,
LockHandle => $dbh
};
}

Same behavior as I previously mentioned when the Tainted is enabled in
DBI->Connect

-----Original Message-----
From: pharkins@gmail.com [mailto:pharkins@gmail.com] On Behalf Of Perrin
Harkins
Sent: Monday, April 21, 2008 8:13 PM
To: Eli Shemer
Cc: modperl@perl.apache.org
Subject: Re: parameters taintness

On Mon, Apr 21, 2008 at 2:53 PM, Eli Shemer wrote:
> I summed it down to this line of code
>
> my $id = $cookies{ANONYMOUS_ID}->value;
> if ($id =~ m/(.+)/) { $id=$1; }
>
> tie %session, 'Apache::Session::MySQL', $id,
> {
> Handle => $dbh,
> LockHandle => $dbh
> };

You need to wrap that tie call in an eval, as shown in the
Apache::Session documentation. If it hangs rather than just failing,
the problem most likely has to do with the locking behavior.

- Perrin

No virus found in this incoming message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.23.2/1387 - Release Date: 19/04/2008
11:31


No virus found in this outgoing message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.23.2/1387 - Release Date: 19/04/2008
11:31

Re: parameters taintness

am 22.04.2008 21:39:49 von Perrin Harkins

On Mon, Apr 21, 2008 at 3:48 PM, Eli Shemer wrote:
> eval{
>
> tie %session, 'Apache::Session::MySQL', $id,
> {
> Handle => $dbh,
> LockHandle => $dbh
> };
> }
>
> Same behavior as I previously mentioned when the Tainted is enabled in
> DBI->Connect

I think you should try writing a command-line script using DBI and see
if you get the same behavior.

- Perrin

RE: parameters taintness

am 23.04.2008 05:51:12 von Eli Shemer

Well,

Indeed it probably got stuck every time due to the locking issue but =
that
doesn=92t matter really.
What I actually wanted was for a mechanism to alert me when my variables =
are
not safe enough to work with but I could not do that.
I never got any warning in the error_log and I still don=92t know how to =
get
DBI to do that.

But regardless, I've stress checked my variables since, manually, and =
I've
used sql injection tools that try to penetrate to sites. Namely, my own.


-----Original Message-----
From: pharkins@gmail.com [mailto:pharkins@gmail.com] On Behalf Of Perrin
Harkins
Sent: Tuesday, April 22, 2008 9:40 PM
To: Eli Shemer
Cc: modperl@perl.apache.org
Subject: Re: parameters taintness

On Mon, Apr 21, 2008 at 3:48 PM, Eli Shemer =
wrote:
> eval{
>
> tie %session, 'Apache::Session::MySQL', $id,
> {
> Handle =3D> $dbh,
> LockHandle =3D> $dbh
> };
> }
>
> Same behavior as I previously mentioned when the Tainted is enabled =
in
> DBI->Connect

I think you should try writing a command-line script using DBI and see
if you get the same behavior.

- Perrin

No virus found in this incoming message.
Checked by AVG.=20
Version: 7.5.524 / Virus Database: 269.23.3/1390 - Release Date: =
21/04/2008
16:23
=20

No virus found in this outgoing message.
Checked by AVG.=20
Version: 7.5.524 / Virus Database: 269.23.3/1390 - Release Date: =
21/04/2008
16:23
=20