idea for "securing" Robs FormFunction

So, Rob wrote this really cool set of functions that convert form variables, cookies, and query strings to variables, hidden form fields and cookies.

Sample of Robs code:
<%
function GetVariables(type1,type2)
if lcase(type1)="form" or lcase(type2)="form" or lcase(type1)="all" then
For Each Field In Request.Form
TheString = Field & "=Request.Form(""" & Field & """)"
Execute(TheString)'Executes the command contained in the string(This will set all VBScript variables)
Next
end if
if lcase(type1)="cookies" or lcase(type2)="cookies" or lcase(type1)="all" then
For Each Field In Request.cookies
TheString = Field & "=Request.cookies(""" & Field & """)"
Execute(TheString)'Executes the command contained in the string(This will set all VBScript variables)
Next
end if
if lcase(type1)="querystring" or lcase(type2)="querystring" or lcase(type1)="all" then
For Each Field In Request.querystring
TheString = Field & "=Request.querystring(""" & Field & """)"
Execute(TheString)'Executes the command contained in the string(This will set all VBScript variables)
Next
end if
END function
%>

I wrote him to say that I added a functionallity, which was to print the data to the screen because it's very useful for debugging. He said that he doesn't distribute it anymore because of the security issues.

I know that one of the big ones is joining SQL onto the end of strings that will be used as variables and to through text into a numeric field to get the DB engine to throw an error (or run the SQL).

In my searching of the web, I found this really cool function that I think largely circumvents this on a string by string basis.. it looks like this: (it also converts multiple spaces to single spaces because of what I'm doing with my data)

<% 'a function to replace single quotes with two single quotes to pass the SQL engine. because I didn't want to keep typing it
'also looks for pipe and percent as recommended on experts-exchange.com
function switchQuotes(text)
text = Replace( _
Replace( _
Replace( _
Replace( _
Replace( _
Replace( Trim(text), "'", "''"), _
"\n", " "), _
vbcrlf, " "), _
"|", ""), _
"%", ""), _
chr(34), """")
while instr(text, " ") > 0
text = Replace(text, " ", " ")
wend
switchQuotes = text
end function
%>

So I thought that if you integrated this that would take care of the string issues. So the guts of the loop would look something like:
myfield = switchquotes(request.form(field))
theString = field & "=" myfield
Execute(TheString)

This way, the checking for "red flags" in strings is checked on form (or whatever) load and the user doesn't have to do separate checks.

Then there's the numeric peice.

I don't have code for this but I was thinking something along the lines of opening up the recordset and looking for fields that are datatyped numeric (would this include boolean? how about dates?) After you load all your stuff into the variables, you could create an array and loop the recordset, loading fieldnames of fields with vulnerable datatypes into the array.

If you've names your form variables (or cookies, or whatever) the same name as your recordset field names then you could loop the array of field names saying something like this:

dim blnNotNumeric
blnNotNumeric = true
for i = 0 to ubound(array)
if not isNumeric(array[i]) then blnNotNumeric = false
next

if not blnNotNumeric then response.redirect "error.html"


or something like that.

Comments? Thoughts? Threats to knock me upside the head?

jakyra

I believe its Execute() thats the problem...

What is the issue with the Execute() function? I haven't seen that exploit.

Thanks
jakyra

AFAIK its something to do with denial of service..... Rob ??:

I really don't want to go into 'how' this can be exploited... purely because there are so many copies of these functions on the net... I recieve 2 or 3 emails a day from people thanking me for them.

I have basically stopped supporting them, because I can figure out 3 ways of exploiting them...

1 of the exploits, as Smokie says, is indeed a DoS
another allows SQL queries to be executed, depending on how the script is being used...
and the other, again depending how the script is used, can give access to the filesystem.

Please do not ask me to elaborate on how, coz I wont!

I would only recommend the use of my scripts that deal with variables using the 'EXECUTE' function on an Intranet.. .away from the public domain.

__________________
Click the 'Thanks!' button if this post has helped you

Rob - Webforumz Founder

Ok, I won't ask how. I promise!

Thanks for the information.

jakyra

Ah, the memories. This variable thing is how we met Rob. Man that was many years ago. :-)

<blockquote id="quote"><font size="1" face="geneva, verdana, arial" id="quote">quote:<hr height="1" noshade id="quote">Originally posted by Rob

I really don't want to go into 'how' this can be exploited... purely because there are so many copies of these functions on the net... I recieve 2 or 3 emails a day from people thanking me for them.

I have basically stopped supporting them, because I can figure out 3 ways of exploiting them...

1 of the exploits, as Smokie says, is indeed a DoS
another allows SQL queries to be executed, depending on how the script is being used...
and the other, again depending how the script is used, can give access to the filesystem.

Please do not ask me to elaborate on how, coz I wont!

I would only recommend the use of my scripts that deal with variables using the 'EXECUTE' function on an Intranet.. .away from the public domain.
<hr height="1" noshade id="quote"></blockquote id="quote"></font id="quote">
Aww, Rob you gotta tell us how to hack these!!! I wanna have a look, why don't we have a competition where we all look at the code and see how many serious security issues we can find?

Security through obscurity. I like it. Very Microsoft... hehe.

sounds good to me, lil hacking contest!

ok, I'm stubborn and lazy.

(Just thought I'd start there)

Since my site isn't an intranet site, I'm trying to find a work around for the glorious idea of not having to type all my own form fields/cookies/recordset fields/etc.

Also, I've read that manipulating data right from the recordset is very inefficient/slow/etc.

So I wrote one for a recordset. It loads the recordset into an array using getrows, but then I want to be able to reference the data by name, not by number (for updating ease).

So I came up with these paired functions:

Code: Select all

<%
		dim dataRS
		dim fieldsRS()
		dim RScount
	
	sub SQLtoArray(aSQL)	
		dim aClient
		dim fieldCount
		
		set aClient = Server.CreateObject("ADODB.Recordset")
		aClient.open aSQL, conn,3,3
		RScount = aClient.RecordCount
'		response.write "

" & rscount
		
		if RScount > 0 then 
		
		fieldCount = aClient.fields.count-1
			dataRS = aClient.GetRows()
	'response.write "

" & fieldcount		
			redim fieldsRS(fieldCount)
			for i = 0 to fieldCount 
				fieldsRS(i) = aClient.fields.item(i).name
	'			response.write "

" & i  & ": " & fieldsRS(i)
			next	
		end if		
		aClient.close
		set aClient = nothing

	end sub

%>

<%
	function getFieldData(thisField, rowCount)
		dim j
		j = 0
'		response.write thisField
		do while fieldsRS(j) <> thisField
			j = j+1
		loop 
	'	response.write "Column:" &  j & "row: " & rowCount
		
		if fieldsRS(j) = thisField then  	getFieldData = dataRS(j ,rowCount)
	
	end function

%>

An example of the use is this:

Code: Select all

<% 
	'requires SQLtoArray.asp	
	SQLtoArray("SELECT * FROM TblMessages ORDER BY MessageDate DESC") 
	if RSCount > 0 then 
%>
<H2 align="Center"><% response.write MessageTitle %></h2>
<table width="75%" border="0" cellspacing="0" cellpadding="2">
   <tr>
    <th align="left">Date</th>
    <th align="left">Message</th>
  </tr>
 <% for n = 0 to RScount-1%>
  <tr>
    <td NOWRAP VALIGN="top" width ="10%"><% response.write getFieldData("MessageDate", n) %></td>
    <td VALIGN="top"><% response.write getFieldData("MessageText", n) %></td>
  </tr>
  <% next %>
</table>
<% end if %>

How's that for a plan? It's this hugely inefficient?
Is there a better way that doesn't involve hard coding?

Thanks!

jakyra (On the endless quest for non-hardcoded code)