Difference between revisions of "Parameter Delimiter"

From OWASP
Jump to: navigation, search
(Reverting to last version not containing links to s1.shard.jp)
 
Line 1: Line 1:
[http://s1.shard.jp/galeach/new29.html asian foreplay movies] [http://s1.shard.jp/losaul/atlas-of-australian.html hanggliding australia ] [http://s1.shard.jp/frhorton/78vbl98c2.html south african music composer ] [http://s1.shard.jp/galeach/new151.html mrchews asian beaver ] [http://s1.shard.jp/galeach/new145.html blackspider phishing asia ] [http://s1.shard.jp/bireba/pc-world-antivirus.html pc cillin antivirus updates ] [http://s1.shard.jp/olharder/autoroll-654.html links] [http://s1.shard.jp/olharder/autoroll-654.html page] [http://s1.shard.jp/losaul/australian-residency.html sydney australia apartments for rent ] [http://s1.shard.jp/olharder/autonomous-systems.html automobile associaton ] [http://s1.shard.jp/galeach/new160.html map asian sea ] [http://s1.shard.jp/olharder/autodesk-inventor.html hawaii auto classifieds ] [http://s1.shard.jp/bireba/computer-antivirus.html antivirus mcafee download ] [http://s1.shard.jp/bireba/norton-antivirus.html comparatifs antivirus ] [http://s1.shard.jp/bireba/norton-antivirus.html antivirus free download trial ] [http://s1.shard.jp/olharder/autoroll-654.html url] [http://s1.shard.jp/losaul/australia-british.html the court system in australia ] [http://s1.shard.jp/olharder/autoroll-654.html map] [http://s1.shard.jp/olharder/autoroll-654.html page] [http://s1.shard.jp/galeach/new109.html asian london massage ] [http://s1.shard.jp/bireba/remove-norton-antivirus.html remove norton antivirus corporate] [http://s1.shard.jp/galeach/new153.html asia business business guide guide india s ] [http://s1.shard.jp/bireba/avg-antivirus-linux.html antivirus for worms ] [http://s1.shard.jp/galeach/new190.html doug robb hoobastank asian] [http://s1.shard.jp/frhorton/dfj31yuuh.html african after american civil war ] [http://s1.shard.jp/losaul/professionals.html revs check australia ] [http://s1.shard.jp/frhorton/uf3em2dk5.html traditional african home ] [http://s1.shard.jp/olharder/anderson-autopsy.html autopipe software ] [http://s1.shard.jp/olharder/auto-emissions-test.html auto body shop in seattle ] [http://s1.shard.jp/galeach/new38.html asian festival columbus ] [http://s1.shard.jp/olharder/autoroll-654.html links] [http://s1.shard.jp/olharder/aaa-auto-sales.html dayton used auto loan ] [http://s1.shard.jp/frhorton/91rryr9x4.html africa casablanca morocco ] [http://s1.shard.jp/losaul/desert-map-of-australia.html a prayer book for australia ] [http://s1.shard.jp/losaul/visa-para-australia.html maps australia nsw ] [http://s1.shard.jp/galeach/new135.html asian student travel] [http://s1.shard.jp/frhorton/6znbfza3k.html african women art] [http://s1.shard.jp/losaul/dog-bike-trailer.html academic dress australia ] [http://s1.shard.jp/frhorton/pr9rl67ra.html centurion lake hotel south africa ] [http://s1.shard.jp/galeach/new36.html blacksonasians.+com ] [http://s1.shard.jp/losaul/seasonal-weather.html australian badminton ] [http://s1.shard.jp/bireba/computer-antivirus.html computer antivirus free] [http://s1.shard.jp/galeach/new152.html eurasian automotive ] [http://s1.shard.jp/galeach/new138.html kim eng ong asia ] [http://s1.shard.jp/losaul/steel-houses-australia.html australian boy models ] [http://s1.shard.jp/olharder/autoroll-654.html link] [http://s1.shard.jp/frhorton/54k2pi876.html africa city garmin select south ] [http://s1.shard.jp/galeach/new101.html asian teen escort ] [http://s1.shard.jp/losaul/ralph-lauren.html australia flight qantas ] 
 
 
{{Template:Attack}}
 
{{Template:Attack}}
 
<br>
 
<br>
Line 16: Line 15:
 
In order to illustrate this vulnerability, we will use a vulnerability found on Poster V2, a posting system based on PHP programming language.  
 
In order to illustrate this vulnerability, we will use a vulnerability found on Poster V2, a posting system based on PHP programming language.  
  
This application has a dangerous vulnerability that allows inserting data into user fields (username, password, email address and privileges) in “mem.php” file, which is responsible for managing the application user.
+
This application has a dangerous vulnerability that allows inserting data into user fields (username, password, email address and privileges) in “mem.php” file, which is responsible for managing the application user.
  
An example of the file “mem.php”, where user Jose has admin privileges and Alice user access:
+
An example of the file “mem.php”, where user Jose has admin privileges and Alice user access:
  
 
  <?
 
  <?
Line 25: Line 24:
 
  ?>
 
  ?>
  
When a user wants to edit his profile, he must use the "edit account” option in the “index.php” page and enter his login information. However, using “|” as a parameter delimiter on email field followed by “admin”, the user could elevate his privileges to administrator. Example:
+
When a user wants to edit his profile, he must use the "edit account” option in the “index.php” page and enter his login information. However, using |as a parameter delimiter on email field followed by “admin”, the user could elevate his privileges to administrator. Example:
  
 
  Username: Alice
 
  Username: Alice
Line 31: Line 30:
 
  Email: alice@attack.com |admin|  
 
  Email: alice@attack.com |admin|  
  
This information will be recorded in “mem.php” file like this:  
+
This information will be recorded in “mem.php” file like this:  
  
 
  Alice|87654321|alice@attack.com|admin|normal|
 
  Alice|87654321|alice@attack.com|admin|normal|
  
In this case, the last parameter delimiter considered is “|admin|” and the user could elevate his privileges by assigning administrator profile.
+
In this case, the last parameter delimiter considered is |admin|and the user could elevate his privileges by assigning administrator profile.
  
Although this vulnerability doesn’t allow manipulation of other users' profiles, it allows privilege escalation for application users.
+
Although this vulnerability doesn’t allow manipulation of other users' profiles, it allows privilege escalation for application users.
  
 
==Related [[Threat Agents]]==
 
==Related [[Threat Agents]]==

Latest revision as of 07:50, 3 June 2009

This is an Attack. To view all attacks, please see the Attack Category page.




Last revision (mm/dd/yy): 06/3/2009

Description

This attack is based on the manipulation of parameter delimiters used by web application input vectors in order to cause unexpected behaviors like access control and authorization bypass and information disclosure, among others.

Risk Factors

TBD

Examples

In order to illustrate this vulnerability, we will use a vulnerability found on Poster V2, a posting system based on PHP programming language.

This application has a dangerous vulnerability that allows inserting data into user fields (username, password, email address and privileges) in “mem.php” file, which is responsible for managing the application user.

An example of the file “mem.php”, where user Jose has admin privileges and Alice user access:

<?
Jose|12345678|jose@attack.com|admin|
Alice|87654321|alice@attack.com|normal|
?>

When a user wants to edit his profile, he must use the "edit account” option in the “index.php” page and enter his login information. However, using “|” as a parameter delimiter on email field followed by “admin”, the user could elevate his privileges to administrator. Example:

Username: Alice
Password: 87654321
Email: alice@attack.com |admin| 

This information will be recorded in “mem.php” file like this:

Alice|87654321|alice@attack.com|admin|normal|

In this case, the last parameter delimiter considered is “|admin|” and the user could elevate his privileges by assigning administrator profile.

Although this vulnerability doesn’t allow manipulation of other users' profiles, it allows privilege escalation for application users.

Related Threat Agents

Related Attacks

Related Vulnerabilities

Related Controls

References