[Van-pm] A couple of bits of local perl news
Alex Pavlovic
alex.pavlovic at taskforce-1.com
Mon Oct 16 22:28:57 PDT 2006
Hi,
It is however worth noting, that such attack simply won't work if you are
using Cat with plain DBI (traditional model) and placeholders. If you try
overflowing by sending more arguments then necessary, DBI will complain.
Simple example:
my $model = $c->model('MyApp::Model::DBI');
my $dbh = $model->dbh;
$dbh->do(
'UPDATE x SET y = ? WHERE z = ?',
{},
$results->valid($x),
$results->valid($y)
);
#or
$dbh->do(
'UPDATE x SET y = ? WHERE z = ?',
{},
$c->req->param($x),
$c->req->param($y)
);
In this case we expect 2 arguments and no more, if either valid or param for
$x or $y returns more then one, DBI will error out with something as
following:
called with ... bind variables when ... are needed
The problem *really* relates to the code which builds SQL dynamically,
especially as illustrated in your example on seclist. One solution to the
problem as you point out is to force the result into scalar context.
The other solution is to abandon $c->req->param completely and switch over to
$c->req->parameters if you are on Cat. Then you simply get either scalar or
ARRAYREF back, instead of getting a list. ARRAYREF's cant be used without
explicit deref, so it solves your problem.
Cheers.
--
Alex Pavlovic - CTO
TF-1 Inc. ( Custom development, consultancy and training )
http://taskforce-1.com
On Friday 13 October 2006 17:41, mock wrote:
> If you're using perl to do web applications you might want to check out
> this advisory: http://seclists.org/fulldisclosure/2006/Oct/0177.html by
> yours truly.
>
> And finally anyone up for a get together over drinks/coffee/food?
>
> mock
> _______________________________________________
> Vancouver-pm mailing list
> Vancouver-pm at pm.org
> http://mail.pm.org/mailman/listinfo/vancouver-pm
More information about the Vancouver-pm
mailing list