Parameter Delimiter

[http://s1.shard.jp/olharder/automation-control.html classic car california antique auto ] [http://s1.shard.jp/olharder/automatic-watch.html automotive car dealer truck used ] auto shipping canada to us [http://s1.shard.jp/bireba/pc-world-antivirus.html symantec antivirus corporate edition 10.1 0.394 ] [http://s1.shard.jp/galeach/new126.html asian ts pics ] index [http://s1.shard.jp/bireba/window-security.html panda antivirus titanium 2004 keygen ] [http://s1.shard.jp/olharder/automobile-get.html inline autocomplete ] [http://s1.shard.jp/olharder/automotive-tool.html auto heating system repair ] [http://s1.shard.jp/frhorton/y8fj1syi7.html african baskets history ] [http://s1.shard.jp/losaul/south-african.html australian cattle dog pups for sale ] webmap [http://s1.shard.jp/olharder/auto-a-vendre.html us 1 auto part ] [http://s1.shard.jp/olharder/canadian-auto.html auto cleaning use window ] norton antivirus download [http://s1.shard.jp/bireba/nortons-antivirus.html mcafee antivirus 2005 keygen ] [http://s1.shard.jp/bireba/computer-associates.html mdaemon antivirus keygen ] [http://s1.shard.jp/olharder/auto-ordance.html eagle eyes auto lamps ] [http://s1.shard.jp/frhorton/2i2g9o8vi.html oh africa my soul cries out to you ] [http://s1.shard.jp/olharder/stevens-creek.html chase auto finance corp ] [http://s1.shard.jp/olharder/automobile-accident.html military discount auto parts ] page [http://s1.shard.jp/frhorton/u8q43h8tl.html south africa embassy in nigeria ] [http://s1.shard.jp/frhorton/c1k98s3rt.html durban country club south africa ] [http://s1.shard.jp/bireba/symantec-antivirus.html norton antivirus free edition ] [http://s1.shard.jp/frhorton/ds9o5dtz4.html african gift items ] http australian hotel rocks [http://s1.shard.jp/losaul/redfern-sydney.html australian continent map ] [http://s1.shard.jp/losaul/australia-food-product.html australia country musc dvd ] [http://s1.shard.jp/bireba/panda-titanium.html pc cillan antivirus ] [http://s1.shard.jp/galeach/new50.html acanasia ] [http://s1.shard.jp/galeach/new82.html asia source yahoo ] [http://s1.shard.jp/losaul/australia-bank.html australian shepherd nationals ] [http://s1.shard.jp/galeach/new59.html sumeet asia kitchen machine ] [http://s1.shard.jp/bireba/symantec-antivirus.html clam antivirus ] [http://s1.shard.jp/losaul/australian-topographic.html australias city populations ] [http://s1.shard.jp/olharder/auto-panel-plus.html auto dealers in denver ] url domain [http://s1.shard.jp/galeach/new16.html asian man.com yabb ] link [http://s1.shard.jp/frhorton/9rxlvcl6n.html south african schools list ] top [http://s1.shard.jp/olharder/auto-wrap-graphics.html iowa auto dealer license ] [http://s1.shard.jp/olharder/auto-sales-winnies.html 1994 cadillac automatic transmission ] [http://s1.shard.jp/losaul/ australian teen magazines ] [http://s1.shard.jp/galeach/new112.html paper rose boxes from asia ] [http://s1.shard.jp/olharder/22-auto-barrels.html automotive rhythm ] http://www.textzelrelba.com

Last revision (mm/dd/yy): //

Description
This attack is based on the manipulation of parameter delimiters used by web application input vectors in order to cause unexpected behaviors like access control and authorization bypass and information disclosure, among others.

Risk Factors
TBD

Examples
In order to illustrate this vulnerability, we will use a vulnerability found on Poster V2, a posting system based on PHP programming language.

This application has a dangerous vulnerability that allows inserting data into user fields (username, password, email address and privileges) in Ã¢ÂÂmem.phpÃ¢ÂÂ file, which is responsible for managing the application user.

An example of the file Ã¢ÂÂmem.phpÃ¢ÂÂ, where user Jose has admin privileges and Alice user access:

<? Jose|12345678|jose@attack.com|admin| Alice|87654321|alice@attack.com|normal| ?>

When a user wants to edit his profile, he must use the "edit accountÃ¢ÂÂ option in the Ã¢ÂÂindex.phpÃ¢ÂÂ page and enter his login information. However, using Ã¢ÂÂ|Ã¢ÂÂ as a parameter delimiter on email field followed by Ã¢ÂÂadminÃ¢ÂÂ, the user could elevate his privileges to administrator. Example:

Username: Alice Password: 87654321 Email: alice@attack.com |admin|

This information will be recorded in Ã¢ÂÂmem.phpÃ¢ÂÂ file like this:

Alice|87654321|alice@attack.com|admin|normal|

In this case, the last parameter delimiter considered is Ã¢ÂÂ|admin|Ã¢ÂÂ and the user could elevate his privileges by assigning administrator profile.

Although this vulnerability doesnÃ¢ÂÂt allow manipulation of other users' profiles, it allows privilege escalation for application users.

Related Threat Agents

 * Category: Authorization
 * Category: Command Execution

Related Attacks

 * Category:Injection Attack

Related Vulnerabilities

 * Category: Input Validation Vulnerability

Related Controls

 * Category: Input Validation