Hacker was able to send virus via text field maxlength="50" - HOW?

Joel Shepherd wrote:

Quote:

There is a name for this type of exploit, which unfortunately has
slipped my mind. Googling for "javascript injection" or "html form
exploit" might give you some leads though.

Cross site scripting.

The only cure is server side verification.

--
jmm dash list (at) sohnen-moe (dot) com
(Remove .AXSPAMGN for email)

Quote:

If I had a program that accepted parameters like this, would this be an
adequate method of coping?

size = Request.form("width")
if size="" then size=Request.QueryString("width")
if len(size)>50 then size="default"

No: that's focusing on the wrong part of the problem. Chances are, the
value of the "width" attribute, while interesting, is not something the
server is particularly interested in getting from the form.

Sorry, Joel, I realize I used a reserved word (though my page worked
just fine as long as a number was typed on the form).

In the case of the page I'm testing, I did want to specify the size, so
"width" was what I wanted to set, so to avoid confusion, here is what I
ended up with, and based on what you and others have said, I'm 99 and
44/100% certain that this page can't be attacked by the methods you've
been discussing because I turn ANY string into a number.

Here's my revised code:
mazew = trim(Request.form("width"))
if len(mazew)=0 then mazew=trim(Request.QueryString("width"))
if VarType(mazew)<2 or VarType(mazew)>5 then
mazew=int(rnd*90+10)

And if you want to see it in action, try my test page
http://www.mazes.com/asp-maze/test-maz.asp
(ignore all the garbage at the top, I haven't removed it yet)

You should get a new maze every time you hit refresh.

John

I have never in my life seen anything like this. One of my websites
was hacked tonight by a hacker who was able to send a DoS-related
viral packet of data through a text field on my site that has
maxlength="50"
- -

Can anyone tell me how on earth that is possible?
----------------------------------------------------------

I'm a little confused by this. The fact that you read some virus code
in a textarea field doesn't mean that your computer now has a virus
infection, it depends on what you do with the data. The only way I
know of that this could directly produce a virus infection is if you
tried to read it into a 50 byte area and it overflowed into code.
Another way it might produce a virus is if you tried to pipe it to
another DOS program. Is that what happened?

How did you know it was a DOS-related virus?


Regards,


Kent Feiler
www.KentFeiler.com

TomB wrote:

[ Comprehensive quote - always a useful signal of lack of
comprehensive reading ]

Quote:

Just wondering: how much would the striptags function protect you from
attacks like this?

Whatever you mean by "the striptags function" (anyone and his brother
can write a function and name it "striptags"), the odds are that it has
nothing to do with the issue. Stripping tags does not sound like
checking the amount of input, does it?

begin quotation
from phillip.s.powell (AT) gmail (DOT) com <phillip.s.powell (AT) gmail (DOT) com>
in message <1126935567.535585.322620 (AT) g43g2000cwa (DOT) googlegroups.com>
posted at 2005-09-17T05:39

Quote:

I have never in my life seen anything like this. One of my websites
was hacked tonight by a hacker who was able to send a DoS-related viral
packet of data through a text field on my site that has maxlength="50"
(the data packet itself was about 1024 bytes in length, and several
packets were sent).

Can anyone tell me how on earth that is possible?

It's really easy:

$ lynx -dump -source http://www.example.com/page_with_form_on_it.html \

Quote:

page_with_form_on_it.html
$ vi page_with_form_on_it.html

[Change the "50" to "1024" or however big it needs to be]

$ lynx page_with_form_on_it.html

And inject the packet. Do you really think that someone who really wants
to cause you trouble will be stopped by a *suggestion* that a field be
limited to 50 characters?

Quote:

I can't even duplicate that or come close to it, and yet someone has
not only done it but done it repeatedly, and how do I stop them?

This really is not an HTML authoring issue. You stop it by fixing
whatever CGI program to reject form submissions with too much data for a
field. My guess is you have been using fixed-length buffers and this is
trouble waiting to happen.

--
___ _ _____ |*|
/ __| |/ / _ \ |*| Shawn K. Quinn
\__ \ ' < (_) | |*| skquinn (AT) speakeasy (DOT) net

Quote:

___/_|\_\__\_\ |*| Houston, TX, USA

"John" <GodLovesEveryone.org (AT) gmail (DOT) com> wrote:

Quote:

No: that's focusing on the wrong part of the problem. Chances are, the
value of the "width" attribute, while interesting, is not something the
server is particularly interested in getting from the form.

Sorry, Joel, I realize I used a reserved word (though my page worked
just fine as long as a number was typed on the form).

In the case of the page I'm testing, I did want to specify the size, so
"width" was what I wanted to set, so to avoid confusion, here is what I
ended up with ...

Ah, okay: I get it now. Width is width of the maze, not of the input. I
agree this looks harmless.

Quote:

And if you want to see it in action, try my test page
http://www.mazes.com/asp-maze/test-maz.asp

Ooooh. Mazes. Cool!

--
Joel.

On Sun, 18 Sep 2005 13:48:26 -0500, in
comp.infosystems.www.authoring.html , Kent Feiler <zzzz (AT) zzzz (DOT) com> in
<t1dri1d2mtb4gse7ga6p05kn6fog1d8lmv (AT) 4ax (DOT) com> wrote:

Quote:

I have never in my life seen anything like this. One of my websites
was hacked tonight by a hacker who was able to send a DoS-related
viral packet of data through a text field on my site that has
maxlength="50"
- -

Can anyone tell me how on earth that is possible?
----------------------------------------------------------

I'm a little confused by this. The fact that you read some virus code
in a textarea field doesn't mean that your computer now has a virus
infection, it depends on what you do with the data. The only way I
know of that this could directly produce a virus infection is if you
tried to read it into a 50 byte area and it overflowed into code.
Another way it might produce a virus is if you tried to pipe it to
another DOS program. Is that what happened?

How did you know it was a DOS-related virus?

I suspect that DoS is denial of service, not Disk Operating System.


--
Matt Silberstein

Do something today about the Darfur Genocide

Genocide is news | Be A Witness
http://www.beawitness.org

"Darfur: A Genocide We can Stop"
www.darfurgenocide.org

Save Darfur.org :: Violence and Suffering in Sudan's Darfur Region
http://www.savedarfur.org/

A bit harsh, and unfortunately deservedly so considering I didn't tell
you the whole story.

I do, in fact, have server-side validation upon form submittal, along
with client-side validation, that checks for length and content format
(first name and last name can only have alphanumeric characters and the
occasional single quote).

Thanx for the web security suggestion.

Phil

And you would be thwarted in your efforts as I also have server-side
validation that kicks in on the server end just for moments like that.
How could someone remotely thwart someone running PHP/TCL/Apache/Unix
server-side validation sequencing by pulling a cached page is beyond
me.

Phil

That's just it, I do just that in my CGI back-end (double layer... it
goes to a PHP script first outside of CGI, then to the TCL CGI script
to process), and both scripts check for length of content each time.

Phil