8 messages in com.mysql.lists.perlPossible security flaws| From | Sent On | Attachments |
|---|---|---|
| Jan Eden | 04 May 2004 10:01 | |
| apv | 04 May 2004 10:25 | |
| David Dick | 04 May 2004 14:07 | |
| Jim | 04 May 2004 15:17 | |
| Jan Eden | 05 May 2004 00:49 | |
| David Dick | 05 May 2004 05:34 | |
| Jan Eden | 05 May 2004 23:06 | |
| Dave Cash | 06 May 2004 04:54 |
| Subject: | Possible security flaws |
|---|---|
| From: | Jan Eden (lis...@janeden.org) |
| Date: | 05/04/2004 10:01:17 AM |
| List: | com.mysql.lists.perl |
Hi all,
could you point out the possible security problems with the following design
(planned)?
I have a database on my ISP's server which is accessible via a read-only and a
read/write account.
Now the CGI scripts I wrote to handle the database call the following subroutine
from a module:
sub mysql_config { my $mode = shift; my ($server, $db, $username, $password); if ($mode eq 'local') { # local configuration $server = 'localhost'; # The database server $db = '************'; # The name of our database. $username = '********' ;# the username $password = '************' ;# the password # editor configuration } elsif ($mode eq 'editor') { # pair.com configuration (write) $server = '***********'; # The database server $db = '*******'; # The name of our database $username = '***********' ;# the username for reading/writing $password = '*************' ;# the password } else { # read-only configuration $server = '**********'; # The database server $db = '******'; # The name of our database $username = '************' ;# the username for reading $password = '*********' ;# the password } return ($server, $db, $username, $password); }
So if I call the script via the net in 'editor' mode, I have write access. But
my editing script utilizes a user check like this:
sub user_check {
my ($user_id, $user_name_input, $user_password_input, $mode) = @_;
my ($server, $db, $username, $password) = mysql_config($mode);
my $dbh = DBI->connect("dbi:mysql:$db:$server", $username, $password, {
RaiseError => 1 });
my $query = "SELECT user_name, user_password FROM users WHERE user_id =
$user_id";
my $sth = $dbh->prepare($query);
$sth->execute();
my ($user_name, $user_password) = $sth->fetchrow_array;
$sth->finish();
return 1 if $user_name_input eq $user_name && $user_password_input eq
$user_password;
return 0;
}
If no username/password are given (or if the wrong values are entered), the
editing script generates an identification page, otherwise (if user_check
returns 1), the editing form with the values of the page is printed out.
At which point is this setup vulnerable? So far, I only used local editing, and
I still bear in mind that there's evil out there. ;-)
Thanks,
Jan
--
These are my principles and if you don't like them... well, I have others. -
Groucho Marx