Software security is not security software. Here we're concerned with topics like authentication, access control, confidentiality, cryptography, and privilege management.
static string AllowlistVerify(string name) {
Regex pattern = new Regex(@"^[a-zA-Z\-\.']+$");
if (pattern.IsMatch(name)) {
return name;
}
return null;
}
...
string verifiedName = AllowlistVerify(managerName.Text.trim());
if(verifiedName != null) {
DirectorySearcher src = new DirectorySearcher("(manager=" + verifiedName + ")");
src.SearchRoot = de;
src.SearchScope = SearchScope.Subtree;
foreach(SearchResult res in src.FindAll()) {
...
}
}
empName
. Although the interface automatically submits the employee ID of the current user, an attacker could submit an alternative value as part of a malicious request. Because the code in this example executes the query under an anonymous bind, it will return the directory entry for any valid employee ID, regardless of the identity of the current authenticated user.
char* allowlist_verify(char* name) {
const char *error;
int errOffset;
char* regex = "^[a-zA-Z\\-\\.']+$";
pcre* re = pcre_compile(regex, 0, &err, &errOffset, NULL);
int rc = pcre_exec(re, NULL, name, strlen(name), 0, 0, NULL, 0);
if (rc == 1)
return name;
return NULL;
}
...
fgets(managerName, sizeof(managerName), socket);
char* verified_name = allowlist_verify(managerName);
if(verified_name != NULL) {
snprintf(filter, sizeof(filter), "(manager=%s)", verified_name);
if ( ( rc = ldap_search_ext_s( ld, FIND_DN, LDAP_SCOPE_BASE,
filter, NULL, 0, NULL, NULL, LDAP_NO_LIMIT,
LDAP_NO_LIMIT, &result ) ) == LDAP_SUCCESS ) {
...
}
}
username
. Because the code in this example executes the query under an anonymous bind, it will return the directory entry for any valid employee ID, regardless of the identity of the current authenticated user.
...
env.put(Context.SECURITY_AUTHENTICATION, "none");
DirContext ctx = new InitialDirContext(env);
String empID = request.getParameter("empID");
try
{
int id = Integer.parseInt(empID);
BasicAttribute attr = new BasicAttribute("empID", empID);
NamingEnumeration employee =
ctx.search("ou=People,dc=example,dc=com",attr);
...
empID
. Although the interface automatically submits the employee ID of the current user, an attacker could submit an alternative value as part of a malicious request. Because the code in this example executes the query under an anonymous bind, it will return the directory entry for any valid employee ID, regardless of the identity of the current authenticated user.
...
CALL TRANSACTION 'SA38'.
...
MQOD-ALTERNATEUSERID
and MQOD-ALTERNATESECURITYID
fields of the MQ object descriptor.
...
10 MQOD.
** Alternate user identifier
15 MQOD-ALTERNATEUSERID PIC X(12).
** Alternate security identifier
15 MQOD-ALTERNATESECURITYID PIC X(40).
...
...
ACCEPT MQOD-ALTERNATEUSERID.
ACCEPT MQOD-ALTERNATESECURITYID.
CALL 'MQOPEN' USING HCONN, MQOD, OPTS, HOBJ, COMPOCODE REASON.
...
AUTHORITY-CHECK
is used together with the addition FOR USER
AUTHORITY_CHECK
is invoked with the specified userSU_RAUTH_CHECK_FOR_USER
is invoked with the specified user
...
AUTHORITY-CHECK OBJECT 'S_TCODE' FOR USER v_user
ID 'TCD' FIELD 'SA38'.
IF sy-subrc = 0.
CALL TRANSACTION 'SA38'.
ELSE.
...
$admintest = 0;
if(isset($admin)) {
if(!IsSet($mainfile)) { include("mainfile.php3"); }
$admin = base64_decode($admin);
$admin = explode(":", $admin);
$aid = "$admin[0]";
$pwd = "$admin[1]";
dbconnect();
$result=mysql_query("select pwd from authors where aid='$aid'");
if(!$result) {
echo "Selection from database failed!";
exit;
} else {
list($pass)=mysql_fetch_row($result);
if($pass == $pwd) {
$admintest = 1;
}
}
}
$admin
value for access control checks. Any variables, either from cookies or forms (GET/POST) will be automatically made global to the script by PHP. An attacker can therefore manipulate the value of the admin
variable by passing the desired value using a request parameter. If $pwd
(an element of that "scrambled" $admin
) does not match the value that corresponds to the fetched row, the false authentication ($admintest
= 0) is returned, otherwise we'll be able to access any function in admin.php3.$pass == $pwd
. The $pass
value returned from mysql_fetch_row()
could be anything, or could be FALSE
if there are no more rows. The attacker in this case can exploit the mismatch in the datatype to equalize $pwd
(string-type) and $pass
(logical-type). The expression "if($pass == $pwd)"
only compares values, NOT the type. As a result, setting $pwd = ""
(null) will be EQUAL
(though not identical) to the given FALSE
value of $pass
.$pass
to FALSE
, the attacker only needs to set $aid
to a string value that does not exist in the authors database. This will result in the mysql_query()
call to return TRUE
and the mysql_fetch_row()
call to return FALSE
.
$aid = "blabla"; $pwd = "";
base64_encode("$aid:$pwd")
in the admin
request parameter.