You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by Perrin Harkins <pe...@elem.com> on 2008/04/21 17:24:11 UTC
Re: parameters taintness
On Mon, Apr 21, 2008 at 12:21 PM, Eli Shemer <ap...@netvision.net.il> wrote:
> Problem is,
>
> When DBI "Taint" is on, the page is completely stuck and I cannot find any
> errors or warning in the error_log.
Can you be a little more descriptive? What does "stuck" mean in this case?
- Perrin
Re: parameters taintness
Posted by "William A. Rowe, Jr." <wr...@rowe-clan.net>.
Perrin Harkins wrote:
> On Mon, Apr 21, 2008 at 12:45 PM, Eli Shemer <ap...@netvision.net.il> wrote:
>> It's stuck on "Waiting for... " in the status bar
>
> Step away from the browser. If you've never learned how to debug a
> web request with telnet or lwp-request, this is a good time to learn.
> Just google "telnet 80 debugging" or something similar to find some
> guides to get you started.
:) netcat is actually more useful than telnet, it's quite a bit more
scriptable. lwp-request and netcat are the only tools I use unless I
really can't shoehorn netcat onto someone else's box.
Re: parameters taintness
Posted by David Nicol <da...@gmail.com>.
On Mon, Apr 21, 2008 at 1:02 PM, Eli Shemer <ap...@netvision.net.il> wrote:
> Using telnet/netcase is nice but it will be a nightmare to write a
> debugger
> script that will simulate all of the operations up to that point. (login,
> submission of data to the page)
http://search.cpan.org/author/PETDANCE/WWW-Mechanize-1.34/lib/WWW/Mechanize/FAQ.pod
RE: parameters taintness
Posted by Eli Shemer <ap...@netvision.net.il>.
Well,
Indeed it probably got stuck every time due to the locking issue but that
doesn’t matter really.
What I actually wanted was for a mechanism to alert me when my variables are
not safe enough to work with but I could not do that.
I never got any warning in the error_log and I still don’t know how to get
DBI to do that.
But regardless, I've stress checked my variables since, manually, and I've
used sql injection tools that try to penetrate to sites. Namely, my own.
-----Original Message-----
From: pharkins@gmail.com [mailto:pharkins@gmail.com] On Behalf Of Perrin
Harkins
Sent: Tuesday, April 22, 2008 9:40 PM
To: Eli Shemer
Cc: modperl@perl.apache.org
Subject: Re: parameters taintness
On Mon, Apr 21, 2008 at 3:48 PM, Eli Shemer <ap...@netvision.net.il> wrote:
> eval{
>
> tie %session, 'Apache::Session::MySQL', $id,
> {
> Handle => $dbh,
> LockHandle => $dbh
> };
> }
>
> Same behavior as I previously mentioned when the Tainted is enabled in
> DBI->Connect
I think you should try writing a command-line script using DBI and see
if you get the same behavior.
- Perrin
No virus found in this incoming message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.23.3/1390 - Release Date: 21/04/2008
16:23
No virus found in this outgoing message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.23.3/1390 - Release Date: 21/04/2008
16:23
Re: parameters taintness
Posted by Perrin Harkins <pe...@elem.com>.
On Mon, Apr 21, 2008 at 3:48 PM, Eli Shemer <ap...@netvision.net.il> wrote:
> eval{
>
> tie %session, 'Apache::Session::MySQL', $id,
> {
> Handle => $dbh,
> LockHandle => $dbh
> };
> }
>
> Same behavior as I previously mentioned when the Tainted is enabled in
> DBI->Connect
I think you should try writing a command-line script using DBI and see
if you get the same behavior.
- Perrin
RE: parameters taintness
Posted by Eli Shemer <ap...@netvision.net.il>.
eval{
tie %session, 'Apache::Session::MySQL', $id,
{
Handle => $dbh,
LockHandle => $dbh
};
}
Same behavior as I previously mentioned when the Tainted is enabled in
DBI->Connect
-----Original Message-----
From: pharkins@gmail.com [mailto:pharkins@gmail.com] On Behalf Of Perrin
Harkins
Sent: Monday, April 21, 2008 8:13 PM
To: Eli Shemer
Cc: modperl@perl.apache.org
Subject: Re: parameters taintness
On Mon, Apr 21, 2008 at 2:53 PM, Eli Shemer <ap...@netvision.net.il> wrote:
> I summed it down to this line of code
>
> my $id = $cookies{ANONYMOUS_ID}->value;
> if ($id =~ m/(.+)/) { $id=$1; }
>
> tie %session, 'Apache::Session::MySQL', $id,
> {
> Handle => $dbh,
> LockHandle => $dbh
> };
You need to wrap that tie call in an eval, as shown in the
Apache::Session documentation. If it hangs rather than just failing,
the problem most likely has to do with the locking behavior.
- Perrin
No virus found in this incoming message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.23.2/1387 - Release Date: 19/04/2008
11:31
No virus found in this outgoing message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.23.2/1387 - Release Date: 19/04/2008
11:31
Re: parameters taintness
Posted by Perrin Harkins <pe...@elem.com>.
On Mon, Apr 21, 2008 at 2:53 PM, Eli Shemer <ap...@netvision.net.il> wrote:
> I summed it down to this line of code
>
> my $id = $cookies{ANONYMOUS_ID}->value;
> if ($id =~ m/(.+)/) { $id=$1; }
>
> tie %session, 'Apache::Session::MySQL', $id,
> {
> Handle => $dbh,
> LockHandle => $dbh
> };
You need to wrap that tie call in an eval, as shown in the
Apache::Session documentation. If it hangs rather than just failing,
the problem most likely has to do with the locking behavior.
- Perrin
RE: parameters taintness
Posted by Eli Shemer <ap...@netvision.net.il>.
I summed it down to this line of code
my $id = $cookies{ANONYMOUS_ID}->value;
if ($id =~ m/(.+)/) { $id=$1; }
tie %session, 'Apache::Session::MySQL', $id,
{
Handle => $dbh,
LockHandle => $dbh
};
%session is empty at this point, $dbh is a reference to the database
And $id was double checked.
Note that when I remove the TaintIn parameter in the DBI->connect, the page
works with the above code.
-----Original Message-----
From: pharkins@gmail.com [mailto:pharkins@gmail.com] On Behalf Of Perrin
Harkins
Sent: Monday, April 21, 2008 7:36 PM
To: Eli Shemer
Cc: modperl@perl.apache.org
Subject: Re: parameters taintness
On Mon, Apr 21, 2008 at 2:02 PM, Eli Shemer <ap...@netvision.net.il> wrote:
> Well, for now I've diagnosed it to crook due to the cookies/session
> operation.
> Because once I remove the cookie from my browser, everything works
> correctly.
Ok, but you need to find what line in your code is having the problem
if you want help fixing it.
> I really would like to get DBI to scream out when it finds a tainted
> variable,
> not hold the entire operation and withhold any further information.
It would. It's not clear from what you've said so far that your
problem is related to DBI or to tainting.
> Using telnet/netcase is nice but it will be a nightmare to write a
debugger
> script that will simulate all of the operations up to that point. (login,
> submission of data to the page)
Then use a logging proxy that will let you see the actual data going
back and forth.
- Perrin
No virus found in this incoming message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.23.2/1387 - Release Date: 19/04/2008
11:31
No virus found in this outgoing message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.23.2/1387 - Release Date: 19/04/2008
11:31
RE: parameters taintness
Posted by Eli Shemer <ap...@netvision.net.il>.
$dbh = DBI->connect("DBI:mysql:[bla]:localhost","[bla]","[bla]",{Taint =>
0})
or die "Cannot connect to database: $DBI::errstr";
doesn’t work
I'm starting to suspect some weird DBI bug.
Works:
$dbh = DBI->connect("DBI:mysql:[bla]:localhost","[bla]","[bla]")
or die "Cannot connect to database: $DBI::errstr";
-----Original Message-----
From: pharkins@gmail.com [mailto:pharkins@gmail.com] On Behalf Of Perrin
Harkins
Sent: Monday, April 21, 2008 7:36 PM
To: Eli Shemer
Cc: modperl@perl.apache.org
Subject: Re: parameters taintness
On Mon, Apr 21, 2008 at 2:02 PM, Eli Shemer <ap...@netvision.net.il> wrote:
> Well, for now I've diagnosed it to crook due to the cookies/session
> operation.
> Because once I remove the cookie from my browser, everything works
> correctly.
Ok, but you need to find what line in your code is having the problem
if you want help fixing it.
> I really would like to get DBI to scream out when it finds a tainted
> variable,
> not hold the entire operation and withhold any further information.
It would. It's not clear from what you've said so far that your
problem is related to DBI or to tainting.
> Using telnet/netcase is nice but it will be a nightmare to write a
debugger
> script that will simulate all of the operations up to that point. (login,
> submission of data to the page)
Then use a logging proxy that will let you see the actual data going
back and forth.
- Perrin
No virus found in this incoming message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.23.2/1387 - Release Date: 19/04/2008
11:31
No virus found in this outgoing message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.23.2/1387 - Release Date: 19/04/2008
11:31
Re: parameters taintness
Posted by Perrin Harkins <pe...@elem.com>.
On Mon, Apr 21, 2008 at 2:02 PM, Eli Shemer <ap...@netvision.net.il> wrote:
> Well, for now I've diagnosed it to crook due to the cookies/session
> operation.
> Because once I remove the cookie from my browser, everything works
> correctly.
Ok, but you need to find what line in your code is having the problem
if you want help fixing it.
> I really would like to get DBI to scream out when it finds a tainted
> variable,
> not hold the entire operation and withhold any further information.
It would. It's not clear from what you've said so far that your
problem is related to DBI or to tainting.
> Using telnet/netcase is nice but it will be a nightmare to write a debugger
> script that will simulate all of the operations up to that point. (login,
> submission of data to the page)
Then use a logging proxy that will let you see the actual data going
back and forth.
- Perrin
RE: parameters taintness
Posted by Eli Shemer <ap...@netvision.net.il>.
Well, for now I've diagnosed it to crook due to the cookies/session
operation.
Because once I remove the cookie from my browser, everything works
correctly.
(if I logged on to the suspicious page just before).
it seems reasonable in theory that DBI's Taintness operation finds the
session/cookie grabbing and setting as problematic and non-trust worthy.
Although it's not a GET/POST parameter but a simple %cookies = fetch
CGI::Cookie;
For general reference, these are the modules I have on the test page:
use strict;
use Apache::Session::MySQL;
use CGI::Cookie;
use Scalar::Util::Numeric qw(isnum);
use Apache2::Cookie;
use Apache2::Request;
use Apache2::Connection;
even if the DBI considers the cookie/session functions as tainted, and
indeed the page cannot be loaded.
why on earth will it continue to work like that in other pages?
It's as If I enter this page one time, since then all other pages are
Tainted-enabled also,
and I have to remove the cookie.
I really would like to get DBI to scream out when it finds a tainted
variable,
not hold the entire operation and withhold any further information.
Using telnet/netcase is nice but it will be a nightmare to write a debugger
script that will simulate all of the operations up to that point. (login,
submission of data to the page)
-----Original Message-----
From: pharkins@gmail.com [mailto:pharkins@gmail.com] On Behalf Of Perrin
Harkins
Sent: Monday, April 21, 2008 5:54 PM
To: Eli Shemer
Cc: modperl@perl.apache.org
Subject: Re: parameters taintness
On Mon, Apr 21, 2008 at 12:45 PM, Eli Shemer <ap...@netvision.net.il> wrote:
> It's stuck on "Waiting for... " in the status bar
Step away from the browser. If you've never learned how to debug a
web request with telnet or lwp-request, this is a good time to learn.
Just google "telnet 80 debugging" or something similar to find some
guides to get you started.
- Perrin
No virus found in this incoming message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.23.2/1387 - Release Date: 19/04/2008
11:31
No virus found in this outgoing message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.23.2/1387 - Release Date: 19/04/2008
11:31
Re: parameters taintness
Posted by Perrin Harkins <pe...@elem.com>.
On Mon, Apr 21, 2008 at 12:45 PM, Eli Shemer <ap...@netvision.net.il> wrote:
> It's stuck on "Waiting for... " in the status bar
Step away from the browser. If you've never learned how to debug a
web request with telnet or lwp-request, this is a good time to learn.
Just google "telnet 80 debugging" or something similar to find some
guides to get you started.
- Perrin
RE: parameters taintness
Posted by Eli Shemer <ap...@netvision.net.il>.
It's stuck on "Waiting for... " in the status bar
-----Original Message-----
From: pharkins@gmail.com [mailto:pharkins@gmail.com] On Behalf Of Perrin
Harkins
Sent: Monday, April 21, 2008 5:24 PM
To: Eli Shemer
Cc: modperl@perl.apache.org
Subject: Re: parameters taintness
On Mon, Apr 21, 2008 at 12:21 PM, Eli Shemer <ap...@netvision.net.il> wrote:
> Problem is,
>
> When DBI "Taint" is on, the page is completely stuck and I cannot find any
> errors or warning in the error_log.
Can you be a little more descriptive? What does "stuck" mean in this case?
- Perrin
No virus found in this incoming message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.23.2/1387 - Release Date: 19/04/2008
11:31
No virus found in this outgoing message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.23.2/1387 - Release Date: 19/04/2008
11:31
Re: parameters taintness
Posted by Perrin Harkins <pe...@elem.com>.
On Mon, Apr 21, 2008 at 12:27 PM, Eli Shemer <ap...@netvision.net.il> wrote:
> Stuck meaning that I cannot logon to my web site at all.
> I have to close the explorer and open it again.
Ok, you need to do some debugging. First I'd try connecting with
telnet or a command-line browser like lwp-request so you can see how
far it's getting. You also need to put some warn statements in or use
the debugger to find out what line it stops executing on.
- Perrin
RE: parameters taintness
Posted by Eli Shemer <ap...@netvision.net.il>.
Stuck meaning that I cannot logon to my web site at all.
I have to close the explorer and open it again.
It's as if the web server recognized me as a malicious user and blocked me
out
-----Original Message-----
From: pharkins@gmail.com [mailto:pharkins@gmail.com] On Behalf Of Perrin
Harkins
Sent: Monday, April 21, 2008 5:24 PM
To: Eli Shemer
Cc: modperl@perl.apache.org
Subject: Re: parameters taintness
On Mon, Apr 21, 2008 at 12:21 PM, Eli Shemer <ap...@netvision.net.il> wrote:
> Problem is,
>
> When DBI "Taint" is on, the page is completely stuck and I cannot find any
> errors or warning in the error_log.
Can you be a little more descriptive? What does "stuck" mean in this case?
- Perrin
No virus found in this incoming message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.23.2/1387 - Release Date: 19/04/2008
11:31
No virus found in this outgoing message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.23.2/1387 - Release Date: 19/04/2008
11:31