CodeSOD: Classic WTF: Injection Proof'd
"When a 'customer' of ours needs custom-developed software to suit their business requirements," Kelly Adams writes, "they can either 'buy' the development services from the IT department, or go to an outside vendor. In the latter case, then we're supposed to approve that the software meets corporate security guidelines."
"Most of the time, our 'approval' is treated as a recommendation, and we end up having to install the application anyway. But recently, they actually listened to us and told the vendor to fix the 'blatant SQL-injection vulnerabilities' that we discovered. A few weeks later, when it came time for our second review, we noticed the following as their 'fix'."
internal static string FQ(string WhichField){ string expression = ""; int num2 = Strings.Len(WhichField); for (int i = 1; i <= num2; i++) { string str = Strings.Mid(WhichField, i, 1); if (str == "'") { str = str + "'"; } expression = expression + str; } return Strings.Trim( Strings.Replace(Strings.Replace(Strings.Replace(Strings.Replace( Strings.Replace(Strings.Replace(Strings.Replace(Strings.Replace( Strings.Replace(Strings.Replace(Strings.Replace(Strings.Replace( Strings.Replace(Strings.Replace(Strings.Replace(Strings.Replace( Strings.Replace(Strings.Replace(Strings.Replace(Strings.Replace( Strings.Replace(Strings.Replace(Strings.Replace(Strings.Replace( expression, "xp_", "", 1, -1, CompareMethod.Text), "sp_", "", 1, -1, CompareMethod.Text), "--", "-", 1, -1, CompareMethod.Binary), "alter table", "", 1, -1, CompareMethod.Text), "drop table", "", 1, -1, CompareMethod.Text), "create table", "", 1, -1, CompareMethod.Text), "create database", "", 1, -1, CompareMethod.Text), "alter table", "", 1, -1, CompareMethod.Text), "alter column", "", 1, -1, CompareMethod.Text), "drop column", "", 1, -1, CompareMethod.Text), "drop database", "", 1, -1, CompareMethod.Text), "1=1", "", 1, -1, CompareMethod.Text), "union select", "", 1, -1, CompareMethod.Text), "/*", "", 1, -1, CompareMethod.Text), "*/", "", 1, -1, CompareMethod.Text), "boot.ini", "", 1, -1, CompareMethod.Text), "../", "", 1, -1, CompareMethod.Text), "%27", "", 1, -1, CompareMethod.Text), ";dir", "", 1, -1, CompareMethod.Text), "|dir", "", 1, -1, CompareMethod.Text), "<script", "", 1, -1, CompareMethod.Text), "</script>", "", 1, -1, CompareMethod.Text), "language=javascript", "", 1, -1, CompareMethod.Text), "language=\"javascript\"", "", 1, -1, CompareMethod.Text));}
Kelly adds, "of course this time, when we told them the application was still vulnerable so long that a hacker typed '1 = 1' instead of '1=1', they told us were beeing too picky, and had us install the application anyway."
[Advertisement] Manage IT infrastructure as code across all environments with Puppet. Puppet Enterprise now offers more control and insight, with role-based access control, activity logging and all-new Puppet Apps. Start your free trial today!