Hacker was able to send virus via text field maxlength="50" - HOW?

It's not so trivial. Like I said before, I utilize server-side
validation as well as client-side validation that checks strictly for
length of submittal along with using Regular Expressions to determine
if the data is purely alphanumeric.

Now tell me this, how can they bypass SERVER-side validation?

Phil

Does this also apply to server-side validation as well, as I have that,
in the PHP script (trivia.php) and in the CGI that it goes to after
successful client-side validation and server-side validation back upon
trivia.php?

Phil

On 3 Oct 2005 08:27:00 -0700, "phillip.s.powell (AT) gmail (DOT) com"
<phillip.s.powell (AT) gmail (DOT) com> wrote:

Quote:

It's not so trivial. Like I said before, I utilize server-side
validation as well as client-side validation that checks strictly for
length of submittal along with using Regular Expressions to determine
if the data is purely alphanumeric.

Now tell me this, how can they bypass SERVER-side validation?

Apache is a complicated thing with lots of flaws, and all the modules
that tend to be loaded onto Apache are complicated things with lots of
flaws.

So you are not providing enough information, and in fact, if you found
the relevant information, you would probably have already figured out
the answer.

You have not shown us these server side checks, nor where in the long
and complicated process of Apache responding to a request these server
side checks are applied.

I was going through the configuration files of my apache server, and
it is a nightmare. There is so many twisted and unexpected ways
someone might be able to access stuff.

Ideally you want to intercept at every stage, and perform whatever
sanity checks are appropriate at every stage. Make all requests are
well formed. Any request must fit one of a certain set of known
patterns. If it does not, then 404 it.


--
http://www.jim.com

On Mon, 03 Oct 2005 12:33:59 -0700, James A. Donald <jamesd (AT) echeque (DOT) com>
wrote:

Quote:

On 3 Oct 2005 08:27:00 -0700, "phillip.s.powell (AT) gmail (DOT) com"
phillip.s.powell (AT) gmail (DOT) com> wrote:
It's not so trivial. Like I said before, I utilize server-side
validation as well as client-side validation that checks strictly for
length of submittal along with using Regular Expressions to determine
if the data is purely alphanumeric.

Now tell me this, how can they bypass SERVER-side validation?

Apache is a complicated thing with lots of flaws,

You may want to qualify that statement of yours ?

Quote:

and all the modules that tend to be loaded onto Apache are
complicated things with lots of flaws.

Once again, your qualification of that statement will be welcome,
especially as seen in the light that a vast majority of web servers
around the world are running apache on (li/u)nix.

Any one here remember what happened when MS purchsed Hotmail and tried
to move that entity over to Windows based servers ?

--
Rex

phillip.s.powell (AT) gmail (DOT) com <phillip.s.powell (AT) gmail (DOT) com> wrote:

Quote:

It's not so trivial. Like I said before, I utilize server-side
validation as well as client-side validation that checks strictly for
length of submittal along with using Regular Expressions to determine
if the data is purely alphanumeric.

Now tell me this, how can they bypass SERVER-side validation?

Without seeing the code you are using, that question is imposible to answer
with any specificity. The short answer is that the code was most likely
flawed.

miguel
--
Hit The Road! Photos from 36 countries on 5 continents: http://travel.u.nu
Latest photos: Macau; Queens Day in Amsterdam; Grand Canyon; Amman, Jordan

I didn't reproduce the code because I felt it would be out of scope
considering this is an HTML forum, and my server-side code is in both
PHP and TCL.

I can do so, however, if you wish.

Phil

Miguel Cruz wrote:

Quote:

phillip.s.powell (AT) gmail (DOT) com <phillip.s.powell (AT) gmail (DOT) com> wrote:
It's not so trivial. Like I said before, I utilize server-side
validation as well as client-side validation that checks strictly for
length of submittal along with using Regular Expressions to determine
if the data is purely alphanumeric.

Now tell me this, how can they bypass SERVER-side validation?

Without seeing the code you are using, that question is imposible to answer
with any specificity. The short answer is that the code was most likely
flawed.

miguel
--
Hit The Road! Photos from 36 countries on 5 continents: http://travel.u.nu
Latest photos: Macau; Queens Day in Amsterdam; Grand Canyon; Amman, Jordan

phillip.s.powell (AT) gmail (DOT) com <phillip.s.powell (AT) gmail (DOT) com> wrote:

Quote:

Miguel Cruz wrote:
phillip.s.powell (AT) gmail (DOT) com <phillip.s.powell (AT) gmail (DOT) com> wrote:
It's not so trivial. Like I said before, I utilize server-side
validation as well as client-side validation that checks strictly for
length of submittal along with using Regular Expressions to determine
if the data is purely alphanumeric.

Now tell me this, how can they bypass SERVER-side validation?

Without seeing the code you are using, that question is imposible to answer
with any specificity. The short answer is that the code was most likely
flawed.

I didn't reproduce the code because I felt it would be out of scope
considering this is an HTML forum, and my server-side code is in both
PHP and TCL.

I can do so, however, if you wish.

Well, you're right, this probably isn't the forum for it. But the answer to
your question ultimately does rest there. As others have explained, HTML
(i.e. 'maxlength') is irrelevant to people's ability to send any amount of
data to your server-side application.

miguel
--
Hit The Road! Photos from 36 countries on 5 continents: http://travel.u.nu
Latest photos: Hong Kong; Macau; Queens Day in Amsterdam; Grand Canyon

James A. Donald

Quote:

Apache is a complicated thing with lots of flaws,

Jan Roland Eriksson

Quote:

You may want to qualify that statement of yours ?

and all the modules that tend to be loaded onto Apache are
complicated things with lots of flaws.

Once again, your qualification of that statement will be welcome,
especially as seen in the light that a vast majority of web servers
around the world are running apache on (li/u)nix.

I don't mean to dis Apache. Getting Apache secure is hard, but then
it is also hard using microsoft.



--
http://www.jim.com

I guess the inevitable question therein is this: What's the point in
maxlength if it ultimately serves no purpose in enforcing just what it
is advertised to do? You might as well stop using it!

Phil

Miguel Cruz wrote:

Quote:

phillip.s.powell (AT) gmail (DOT) com <phillip.s.powell (AT) gmail (DOT) com> wrote:

I didn't reproduce the code because I felt it would be out of scope
considering this is an HTML forum, and my server-side code is in both
PHP and TCL.

I can do so, however, if you wish.

Well, you're right, this probably isn't the forum for it. But the answer to
your question ultimately does rest there. As others have explained, HTML
(i.e. 'maxlength') is irrelevant to people's ability to send any amount of
data to your server-side application.

miguel
--
Hit The Road! Photos from 36 countries on 5 continents: http://travel.u.nu
Latest photos: Hong Kong; Macau; Queens Day in Amsterdam; Grand Canyon

"phillip.s.powell (AT) gmail (DOT) com" <phillip.s.powell (AT) gmail (DOT) com> writes:

Quote:

I guess the inevitable question therein is this: What's the point in
maxlength if it ultimately serves no purpose in enforcing just what it
is advertised to do? You might as well stop using it!

It can be advisory to the user - their browser may stop them typing
more than 50 characters if that is all that's allowed, as a reminder
that they have typed too much.

On the other hand, since most browsers don't give an obvious warning
that you've reached maxlength and just silently swallow additional
characters, it could also be harmful to the user by making misentry
more likely if they hit a key twice by mistake (and so send 011234
instead of 012345)

maxlength is a feature that might (or might not) stop accidental
mistypes needing a round-trip to the server. It can, sometimes, be
quite good at that.
(I'm surprised there's no 'minlength' attribute for password change
forms, which might be somewhat more useful)

--
Chris