Apache Security - Ivan Ristic [152]
RewriteMap allowed_urls txt:/usr/local/apache/conf/allowed_urls.map
# Try to determine if the value of variable "$0" (populated with the
# request URI in this case) appears in the rewrite map we defined
# in the previous step. If there is a match the value of the
# "${allowed_urls:$0|notfound}" variable will be replaced with the
# second token in the map (always "-" in our case). In all other cases
# the variable will be replaced by the default value, the string that
# follows the pipe character in the variable - "notfound".
RewriteCond ${allowed_urls:$0|notfound} ^notfound$
# Reject the incoming request when the previous rewrite
# condition evaluates to true.
RewriteRule .* - [forbidden]
Injection Flaws
Finally, we reach a type of flaw that can cause serious damage. If you thought the flaws we have covered were mostly harmless you would be right. But those flaws were a preparation (in this book, and in successful compromise attempts) for what follows.
Injection flaws get their name because when they are used, malicious user-supplied data flows through the application, crosses system boundaries, and gets injected into another system component. System boundaries can be tricky because a text string that is harmless for PHP can turn into a dangerous weapon when it reaches a database.
Injection flaws come in as many flavors as there are component types. Three flaws are particularly important because practically every web application can be affected:
SQL injection
When an injection flaw causes user input to modify an SQL query in a way that was not intended by the application author
Cross-site scripting (XSS)
When an attacker gains control of a user browser by injecting HTML and Java-Script code into the page
Operating system command execution
When an attacker executes shell commands on the server
Other types of injection are also feasible. Papers covering LDAP injection and XPath injection are listed in the section Section 10.9.
SQL Injection
SQL injection attacks are among the most common because nearly every web application uses a database to store and retrieve data. Injections are possible because applications typically use simple string concatenation to construct SQL queries, but fail to sanitize input data.
A working example
SQL injections are fun if you are not at the receiving end. We will use a complete programming example and examine how these attacks take place. We will use PHP and MySQL 4.x. You can download the code from the book web site, so do not type it.
Create a database with two tables and a few rows of data. The database represents an imaginary bank where my wife and I keep our money.
CREATE DATABASE sql_injection_test;
USE sql_injection_test;
CREATE TABLE customers (
customerid INTEGER NOT NULL,
username CHAR(32) NOT NULL,
password CHAR(32) NOT NULL,
PRIMARY KEY(customerid)
);
INSERT INTO customers ( customerid, username, password )
VALUES ( 1, 'ivanr', 'secret' );
INSERT INTO customers ( customerid, username, password )
VALUES ( 2, 'jelena', 'alsosecret' );
CREATE TABLE accounts (
accountid INTEGER NOT NULL,
customerid INTEGER NOT NULL,
balance DECIMAL(9, 2) NOT NULL,
PRIMARY KEY(accountid)
);
INSERT INTO accounts ( accountid, customerid, balance )
VALUES ( 1, 1, 1000.00 );
INSERT INTO accounts ( accountid, customerid, balance )
VALUES ( 2, 2, 2500.00 );
Create a PHP file named view_customer.php with the following code inside, and set the values of the variables at the top of the file as appropriate to enable the script to establish a connection to your database:
$dbhost = "localhost";
$dbname = "sql_injection_test";
$dbuser = "root";
$dbpass = "";
// connect to the database engine
if (!mysql_connect($dbhost, $dbuser, $dbpass)) {
die("Could not connect: " . mysql_error( ));
}
// select the database
if (!mysql_select_db($dbname)) {
die("Failed to select database $dbname:" . mysql_error( ));
}
// construct and execute query
$query = "SELECT username