Mailing List Archive: ModPerl: ModPerl

parameters taintness

Index | Next | Previous | View Threaded

appar at netvision

Apr 21, 2008, 8:27 AM

Post #1 of 16 (965 views)
Permalink

parameters taintness

Hey there

I’m looking for more information on this subject.

I’m using mod_perl2 and apache2

Currently what I’m trying to do is to make both the page and the DBI module
tainted-enabled

I have –t enabled in httpd.conf

And {Taint => 1} upon the DBI connection call.

I’ve made modifications to a test case page,which was a perfect replicate,of
a real “commercial” page.

so now supposedly all $apr->param() parameters are no longer tainted after
numereious regexp equations and a temporary hash table that holds all data.

Problem is,

When DBI “Taint” is on, the page is completely stuck and I cannot find any
errors or warning in the error_log.

Any recommendations / different techniques ?

Thanks.

No virus found in this outgoing message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.23.2/1387 - Release Date: 19/04/2008
11:31

perrin at elem

Apr 21, 2008, 8:24 AM

Post #2 of 16 (940 views)
Permalink

Re: parameters taintness [In reply to]

On Mon, Apr 21, 2008 at 12:21 PM, Eli Shemer <appar[at]netvision.net.il> wrote:
> Problem is,
>
> When DBI "Taint" is on, the page is completely stuck and I cannot find any
> errors or warning in the error_log.

Can you be a little more descriptive? What does "stuck" mean in this case?

- Perrin

perrin at elem

Apr 21, 2008, 8:43 AM

Post #3 of 16 (940 views)
Permalink

Re: parameters taintness [In reply to]

On Mon, Apr 21, 2008 at 12:27 PM, Eli Shemer <appar[at]netvision.net.il> wrote:
> Stuck meaning that I cannot logon to my web site at all.
> I have to close the explorer and open it again.

Ok, you need to do some debugging. First I'd try connecting with
telnet or a command-line browser like lwp-request so you can see how
far it's getting. You also need to put some warn statements in or use
the debugger to find out what line it stops executing on.

- Perrin

perrin at elem

Apr 21, 2008, 8:53 AM

Post #4 of 16 (944 views)
Permalink

Re: parameters taintness [In reply to]

On Mon, Apr 21, 2008 at 12:45 PM, Eli Shemer <appar[at]netvision.net.il> wrote:
> It's stuck on "Waiting for... " in the status bar

Step away from the browser. If you've never learned how to debug a
web request with telnet or lwp-request, this is a good time to learn.
Just google "telnet 80 debugging" or something similar to find some
guides to get you started.

- Perrin

wrowe at rowe-clan

Apr 21, 2008, 9:04 AM

Post #5 of 16 (940 views)
Permalink

Re: parameters taintness [In reply to]

Perrin Harkins wrote:
> On Mon, Apr 21, 2008 at 12:45 PM, Eli Shemer <appar[at]netvision.net.il> wrote:
>> It's stuck on "Waiting for... " in the status bar
>
> Step away from the browser. If you've never learned how to debug a
> web request with telnet or lwp-request, this is a good time to learn.
> Just google "telnet 80 debugging" or something similar to find some
> guides to get you started.

:) netcat is actually more useful than telnet, it's quite a bit more
scriptable. lwp-request and netcat are the only tools I use unless I
really can't shoehorn netcat onto someone else's box.

appar at netvision

Apr 21, 2008, 9:27 AM

Post #6 of 16 (943 views)
Permalink

RE: parameters taintness [In reply to]

Stuck meaning that I cannot logon to my web site at all.
I have to close the explorer and open it again.

It's as if the web server recognized me as a malicious user and blocked me
out

-----Original Message-----
From: pharkins[at]gmail.com [mailto:pharkins[at]gmail.com] On Behalf Of Perrin
Harkins
Sent: Monday, April 21, 2008 5:24 PM
To: Eli Shemer
Cc: modperl[at]perl.apache.org
Subject: Re: parameters taintness

On Mon, Apr 21, 2008 at 12:21 PM, Eli Shemer <appar[at]netvision.net.il> wrote:
> Problem is,
>
> When DBI "Taint" is on, the page is completely stuck and I cannot find any
> errors or warning in the error_log.

Can you be a little more descriptive? What does "stuck" mean in this case?

- Perrin

No virus found in this incoming message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.23.2/1387 - Release Date: 19/04/2008
11:31

No virus found in this outgoing message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.23.2/1387 - Release Date: 19/04/2008
11:31

appar at netvision

Apr 21, 2008, 9:45 AM

Post #7 of 16 (943 views)
Permalink

RE: parameters taintness [In reply to]

It's stuck on "Waiting for... " in the status bar

-----Original Message-----
From: pharkins[at]gmail.com [mailto:pharkins[at]gmail.com] On Behalf Of Perrin
Harkins
Sent: Monday, April 21, 2008 5:24 PM
To: Eli Shemer
Cc: modperl[at]perl.apache.org
Subject: Re: parameters taintness

On Mon, Apr 21, 2008 at 12:21 PM, Eli Shemer <appar[at]netvision.net.il> wrote:
> Problem is,
>
> When DBI "Taint" is on, the page is completely stuck and I cannot find any
> errors or warning in the error_log.

Can you be a little more descriptive? What does "stuck" mean in this case?

- Perrin

No virus found in this incoming message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.23.2/1387 - Release Date: 19/04/2008
11:31

No virus found in this outgoing message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.23.2/1387 - Release Date: 19/04/2008
11:31

davidnicol at gmail

Apr 21, 2008, 10:17 AM

Post #8 of 16 (939 views)
Permalink

Re: parameters taintness [In reply to]

On Mon, Apr 21, 2008 at 1:02 PM, Eli Shemer <appar[at]netvision.net.il> wrote:

> Using telnet/netcase is nice but it will be a nightmare to write a
> debugger
> script that will simulate all of the operations up to that point. (login,
> submission of data to the page)

http://search.cpan.org/author/PETDANCE/WWW-Mechanize-1.34/lib/WWW/Mechanize/FAQ.pod

appar at netvision

Apr 21, 2008, 10:20 AM

Post #9 of 16 (938 views)
Permalink

RE: parameters taintness [In reply to]

Well, for now I've diagnosed it to crook due to the cookies/session
operation.
Because once I remove the cookie from my browser, everything works
correctly.
(if I logged on to the suspicious page just before).

it seems reasonable in theory that DBI's Taintness operation finds the
session/cookie grabbing and setting as problematic and non-trust worthy.
Although it's not a GET/POST parameter but a simple %cookies = fetch
CGI::Cookie;

For general reference, these are the modules I have on the test page:
use strict;
use Apache::Session::MySQL;
use CGI::Cookie;
use Scalar::Util::Numeric qw(isnum);
use Apache2::Cookie;
use Apache2::Request;
use Apache2::Connection;

even if the DBI considers the cookie/session functions as tainted, and
indeed the page cannot be loaded.
why on earth will it continue to work like that in other pages?
It's as If I enter this page one time, since then all other pages are
Tainted-enabled also,
and I have to remove the cookie.

I really would like to get DBI to scream out when it finds a tainted
variable,
not hold the entire operation and withhold any further information.

Using telnet/netcase is nice but it will be a nightmare to write a debugger
script that will simulate all of the operations up to that point. (login,
submission of data to the page)

-----Original Message-----
From: pharkins[at]gmail.com [mailto:pharkins[at]gmail.com] On Behalf Of Perrin
Harkins
Sent: Monday, April 21, 2008 5:54 PM
To: Eli Shemer
Cc: modperl[at]perl.apache.org
Subject: Re: parameters taintness

On Mon, Apr 21, 2008 at 12:45 PM, Eli Shemer <appar[at]netvision.net.il> wrote:
> It's stuck on "Waiting for... " in the status bar

Step away from the browser. If you've never learned how to debug a
web request with telnet or lwp-request, this is a good time to learn.
Just google "telnet 80 debugging" or something similar to find some
guides to get you started.

- Perrin

No virus found in this incoming message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.23.2/1387 - Release Date: 19/04/2008
11:31

No virus found in this outgoing message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.23.2/1387 - Release Date: 19/04/2008
11:31

perrin at elem

Apr 21, 2008, 10:36 AM

Post #10 of 16 (942 views)
Permalink

Re: parameters taintness [In reply to]

On Mon, Apr 21, 2008 at 2:02 PM, Eli Shemer <appar[at]netvision.net.il> wrote:
> Well, for now I've diagnosed it to crook due to the cookies/session
> operation.
> Because once I remove the cookie from my browser, everything works
> correctly.

Ok, but you need to find what line in your code is having the problem
if you want help fixing it.

> I really would like to get DBI to scream out when it finds a tainted
> variable,
> not hold the entire operation and withhold any further information.

It would. It's not clear from what you've said so far that your
problem is related to DBI or to tainting.

> Using telnet/netcase is nice but it will be a nightmare to write a debugger
> script that will simulate all of the operations up to that point. (login,
> submission of data to the page)

Then use a logging proxy that will let you see the actual data going
back and forth.

- Perrin

perrin at elem

Apr 21, 2008, 11:12 AM

Post #11 of 16 (940 views)
Permalink

Re: parameters taintness [In reply to]

On Mon, Apr 21, 2008 at 2:53 PM, Eli Shemer <appar[at]netvision.net.il> wrote:
> I summed it down to this line of code
>
> my $id = $cookies{ANONYMOUS_ID}->value;
> if ($id =~ m/(.+)/) { $id=$1; }
>
> tie %session, 'Apache::Session::MySQL', $id,
> {
> Handle => $dbh,
> LockHandle => $dbh
> };

You need to wrap that tie call in an eval, as shown in the
Apache::Session documentation. If it hangs rather than just failing,
the problem most likely has to do with the locking behavior.

- Perrin

appar at netvision

Apr 21, 2008, 11:53 AM

Post #12 of 16 (941 views)
Permalink

RE: parameters taintness [In reply to]

I summed it down to this line of code

my $id = $cookies{ANONYMOUS_ID}->value;
if ($id =~ m/(.+)/) { $id=$1; }

tie %session, 'Apache::Session::MySQL', $id,
{
Handle => $dbh,
LockHandle => $dbh
};

%session is empty at this point, $dbh is a reference to the database
And $id was double checked.

Note that when I remove the TaintIn parameter in the DBI->connect, the page
works with the above code.

-----Original Message-----
From: pharkins[at]gmail.com [mailto:pharkins[at]gmail.com] On Behalf Of Perrin
Harkins
Sent: Monday, April 21, 2008 7:36 PM
To: Eli Shemer
Cc: modperl[at]perl.apache.org
Subject: Re: parameters taintness

On Mon, Apr 21, 2008 at 2:02 PM, Eli Shemer <appar[at]netvision.net.il> wrote:
> Well, for now I've diagnosed it to crook due to the cookies/session
> operation.
> Because once I remove the cookie from my browser, everything works
> correctly.

Ok, but you need to find what line in your code is having the problem
if you want help fixing it.

> I really would like to get DBI to scream out when it finds a tainted
> variable,
> not hold the entire operation and withhold any further information.

It would. It's not clear from what you've said so far that your
problem is related to DBI or to tainting.

> Using telnet/netcase is nice but it will be a nightmare to write a
debugger
> script that will simulate all of the operations up to that point. (login,
> submission of data to the page)

Then use a logging proxy that will let you see the actual data going
back and forth.

- Perrin

No virus found in this incoming message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.23.2/1387 - Release Date: 19/04/2008
11:31

No virus found in this outgoing message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.23.2/1387 - Release Date: 19/04/2008
11:31

appar at netvision

Apr 21, 2008, 12:04 PM

Post #13 of 16 (941 views)
Permalink

RE: parameters taintness [In reply to]

$dbh = DBI->connect("DBI:mysql:[bla]:localhost","[bla]","[bla]",{Taint =>
0})
or die "Cannot connect to database: $DBI::errstr";

doesn’t work
I'm starting to suspect some weird DBI bug.

Works:
$dbh = DBI->connect("DBI:mysql:[bla]:localhost","[bla]","[bla]")
or die "Cannot connect to database: $DBI::errstr";

-----Original Message-----
From: pharkins[at]gmail.com [mailto:pharkins[at]gmail.com] On Behalf Of Perrin
Harkins
Sent: Monday, April 21, 2008 7:36 PM
To: Eli Shemer
Cc: modperl[at]perl.apache.org
Subject: Re: parameters taintness

On Mon, Apr 21, 2008 at 2:02 PM, Eli Shemer <appar[at]netvision.net.il> wrote:
> Well, for now I've diagnosed it to crook due to the cookies/session
> operation.
> Because once I remove the cookie from my browser, everything works
> correctly.

Ok, but you need to find what line in your code is having the problem
if you want help fixing it.

> I really would like to get DBI to scream out when it finds a tainted
> variable,
> not hold the entire operation and withhold any further information.

It would. It's not clear from what you've said so far that your
problem is related to DBI or to tainting.

> Using telnet/netcase is nice but it will be a nightmare to write a
debugger
> script that will simulate all of the operations up to that point. (login,
> submission of data to the page)

Then use a logging proxy that will let you see the actual data going
back and forth.

- Perrin

No virus found in this incoming message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.23.2/1387 - Release Date: 19/04/2008
11:31

No virus found in this outgoing message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.23.2/1387 - Release Date: 19/04/2008
11:31

appar at netvision

Apr 21, 2008, 12:20 PM

Post #14 of 16 (937 views)
Permalink

RE: parameters taintness [In reply to]

eval{
tie %session, 'Apache::Session::MySQL', $id,
{
Handle => $dbh,
LockHandle => $dbh
};
}

Same behavior as I previously mentioned when the Tainted is enabled in
DBI->Connect

-----Original Message-----
From: pharkins[at]gmail.com [mailto:pharkins[at]gmail.com] On Behalf Of Perrin
Harkins
Sent: Monday, April 21, 2008 8:13 PM
To: Eli Shemer
Cc: modperl[at]perl.apache.org
Subject: Re: parameters taintness

On Mon, Apr 21, 2008 at 2:53 PM, Eli Shemer <appar[at]netvision.net.il> wrote:
> I summed it down to this line of code
>
> my $id = $cookies{ANONYMOUS_ID}->value;
> if ($id =~ m/(.+)/) { $id=$1; }
>
> tie %session, 'Apache::Session::MySQL', $id,
> {
> Handle => $dbh,
> LockHandle => $dbh
> };

You need to wrap that tie call in an eval, as shown in the
Apache::Session documentation. If it hangs rather than just failing,
the problem most likely has to do with the locking behavior.

- Perrin

No virus found in this incoming message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.23.2/1387 - Release Date: 19/04/2008
11:31

No virus found in this outgoing message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.23.2/1387 - Release Date: 19/04/2008
11:31

perrin at elem

Apr 22, 2008, 12:39 PM

Post #15 of 16 (908 views)
Permalink

Re: parameters taintness [In reply to]

On Mon, Apr 21, 2008 at 3:48 PM, Eli Shemer <appar[at]netvision.net.il> wrote:
> eval{
>
> tie %session, 'Apache::Session::MySQL', $id,
> {
> Handle => $dbh,
> LockHandle => $dbh
> };
> }
>
> Same behavior as I previously mentioned when the Tainted is enabled in
> DBI->Connect

I think you should try writing a command-line script using DBI and see
if you get the same behavior.

- Perrin

appar at netvision

Apr 22, 2008, 8:29 PM

Post #16 of 16 (901 views)
Permalink

RE: parameters taintness [In reply to]

Well,

Indeed it probably got stuck every time due to the locking issue but that
doesn’t matter really.
What I actually wanted was for a mechanism to alert me when my variables are
not safe enough to work with but I could not do that.
I never got any warning in the error_log and I still don’t know how to get
DBI to do that.

But regardless, I've stress checked my variables since, manually, and I've
used sql injection tools that try to penetrate to sites. Namely, my own.

-----Original Message-----
From: pharkins[at]gmail.com [mailto:pharkins[at]gmail.com] On Behalf Of Perrin
Harkins
Sent: Tuesday, April 22, 2008 9:40 PM
To: Eli Shemer
Cc: modperl[at]perl.apache.org
Subject: Re: parameters taintness

On Mon, Apr 21, 2008 at 3:48 PM, Eli Shemer <appar[at]netvision.net.il> wrote:
> eval{
>
> tie %session, 'Apache::Session::MySQL', $id,
> {
> Handle => $dbh,
> LockHandle => $dbh
> };
> }
>
> Same behavior as I previously mentioned when the Tainted is enabled in
> DBI->Connect

I think you should try writing a command-line script using DBI and see
if you get the same behavior.

- Perrin

No virus found in this incoming message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.23.3/1390 - Release Date: 21/04/2008
16:23

No virus found in this outgoing message.
Checked by AVG.
Version: 7.5.524 / Virus Database: 269.23.3/1390 - Release Date: 21/04/2008
16:23

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com