This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Parameter Delimiter"
Deleted user (talk | contribs) |
(Reverting to last version not containing links to s1.shard.jp) |
||
Line 1: | Line 1: | ||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
http://www.textzelrelba.com | http://www.textzelrelba.com | ||
{{Template:Attack}} | {{Template:Attack}} | ||
Line 56: | Line 16: | ||
In order to illustrate this vulnerability, we will use a vulnerability found on Poster V2, a posting system based on PHP programming language. | In order to illustrate this vulnerability, we will use a vulnerability found on Poster V2, a posting system based on PHP programming language. | ||
− | This application has a dangerous vulnerability that allows inserting data into user fields (username, password, email address and privileges) in | + | This application has a dangerous vulnerability that allows inserting data into user fields (username, password, email address and privileges) in âmem.phpâ file, which is responsible for managing the application user. |
− | An example of the file | + | An example of the file âmem.phpâ, where user Jose has admin privileges and Alice user access: |
<? | <? | ||
Line 65: | Line 25: | ||
?> | ?> | ||
− | When a user wants to edit his profile, he must use the "edit | + | When a user wants to edit his profile, he must use the "edit accountâ option in the âindex.phpâ page and enter his login information. However, using â|â as a parameter delimiter on email field followed by âadminâ, the user could elevate his privileges to administrator. Example: |
Username: Alice | Username: Alice | ||
Line 71: | Line 31: | ||
Email: [email protected] |admin| | Email: [email protected] |admin| | ||
− | This information will be recorded in | + | This information will be recorded in âmem.phpâ file like this: |
Alice|87654321|[email protected]|admin|normal| | Alice|87654321|[email protected]|admin|normal| | ||
− | In this case, the last parameter delimiter considered is | + | In this case, the last parameter delimiter considered is â|admin|â and the user could elevate his privileges by assigning administrator profile. |
− | Although this vulnerability | + | Although this vulnerability doesnât allow manipulation of other users' profiles, it allows privilege escalation for application users. |
==Related [[Threat Agents]]== | ==Related [[Threat Agents]]== |
Revision as of 16:00, 27 May 2009
- This is an Attack. To view all attacks, please see the Attack Category page.
Last revision (mm/dd/yy): 05/27/2009
Description
This attack is based on the manipulation of parameter delimiters used by web application input vectors in order to cause unexpected behaviors like access control and authorization bypass and information disclosure, among others.
Risk Factors
TBD
Examples
In order to illustrate this vulnerability, we will use a vulnerability found on Poster V2, a posting system based on PHP programming language.
This application has a dangerous vulnerability that allows inserting data into user fields (username, password, email address and privileges) in âmem.phpâ file, which is responsible for managing the application user.
An example of the file âmem.phpâ, where user Jose has admin privileges and Alice user access:
<? Jose|12345678|[email protected]|admin| Alice|87654321|[email protected]|normal| ?>
When a user wants to edit his profile, he must use the "edit accountâ option in the âindex.phpâ page and enter his login information. However, using â|â as a parameter delimiter on email field followed by âadminâ, the user could elevate his privileges to administrator. Example:
Username: Alice Password: 87654321 Email: [email protected] |admin|
This information will be recorded in âmem.phpâ file like this:
Alice|87654321|[email protected]|admin|normal|
In this case, the last parameter delimiter considered is â|admin|â and the user could elevate his privileges by assigning administrator profile.
Although this vulnerability doesnât allow manipulation of other users' profiles, it allows privilege escalation for application users.