Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums CodeIgniter 4 CodeIgniter 4 Support Security and paginate
Security and paginate
#1
11-02-2021, 03:57 AM
(This post was last modified: 11-02-2021, 04:01 AM by captain-sensible. Edit Reason: inform web down )

I have a web site i'm working on set up in Apache local host, with virtual host etc so that the url to serve the landing page is:127.0.0.2

now there is a useful program from owasp called zap. You can use that program to attack webs even on local host, to see what issues are brought up.

now I got this output:
Code:
SQL Injection
http://127.0.0.2/displayGallery?page=1+AND+1%3D1+--+

The page results were successfully manipulated using the boolean conditions [1 AND 1=1 -- ] and [1 AND 1=2 -- ]
The parameter value being modified was stripped from the HTML output for the purposes of the comparison
Data was returned for the original parameter.
The vulnerability was detected by successfully restricting the data originally returned, by manipulating the parameter
The url its quoting involves /displayGallery 
The route I set up is :
Code:
$routes->get('displayGallery','Gallery::displayGallery');
So the class that is evoked is Gallery and the class method is displayGallery
The relevant section of that controller class is:

Code:
$handle = new GalleryModel();


$data = [
'title'=>'paginate',
'result' => $handle->paginate(5),
'pager' => $handle->pager,
'date'=>$this->myDate
];
echo view('displayGallery',$data);

and the section of GalleryModel is:

Code:
class GalleryModel extends Model

{

protected $table      = 'gallery';
protected $primaryKey = 'Id';
protected $allowedFields = ['image','imageTitle','slug'];
protected $limit;
protected $offset;
protected $Id;
protected $imageTitle;
protected $slug;
protected $category;
protected $info;
protected $db;

So in summary i'm think i'm following reasonable coding in that I use  CI4 model and what it provides to paginate results. The pagination by the way works perfectly.
Now I always thought that SQL injection was a problem , where there was an input field and that whats entered would find its way to a database. Now i think i also read. Probably its a good idea to avoid GET requests as much as possible since , it  involves a url , and somebody can play with that.  

My overall thinking is that since the pagination simply retrieves data and there is no input field , this is a false posative. I thought it prudent to find out what other people think ?


ps 11.01 am Uk time :

Code:
Internal Server Error
The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator at [email protected] to inform them of the time this error occurred, and the actions you performed just before this error.

More information about this error may be available in the server error log.

Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.
Reply
  • Offline includebeer
    CodeIgniter Team
  • Posts: 1,018
    Threads: 18
    Joined: Oct 2014
    Reputation: 40
#2
11-02-2021, 04:38 PM
(This post was last modified: 11-02-2021, 04:40 PM by includebeer.)

I think it was reported as an SQL injection because it succeeded in crashing the application. A crash can display sensible information if the application is not correctly configured. Inputs should always be validated for what you expect to receive. In this case you expect the page number to be a number greater than 0. Not a random string with invalid characters.

So I think the best practice would be to type cast the page number to "int" and if the number is <= 0 set the page number to 1. In this particular case, I would blame the framework for not sanitizing the page number since it's a built-in feature of the Pagination library.
CodeIgniter 4 tutorials (EN/FR) - https://includebeer.com
/*** NO support in private message - Use the forum! ***/
Reply
  • Offline kenjis
    Administrator
  • *******
  • Posts: 3,251
    Threads: 90
    Joined: Oct 2014
    Reputation: 205
#3
11-02-2021, 09:11 PM

Do you mean the request `http://127.0.0.2/displayGallery?page=1+AND+1%3D1+--+` caused Internal Server Error?
I don't know where 500 error occurs.

> Probably its a good idea to avoid GET requests as much as possible since , it involves a url , and somebody can play with that.

It is the way of CodeIgniter v1.
The principle is to validate all user input.
ci-phpunit-test | CodeIgniter Testing Guide | CodeIgniter 3 to 4 Upgrade Helper
Reply
  • Offline salain
    Member
  • ***
  • Posts: 135
    Threads: 2
    Joined: Nov 2014
    Reputation: 12
#4
11-03-2021, 01:08 AM

@kenjis
The 500 internal error was codeigniter's web site.
I have that error nearly all day yesterday.
A good decision is based on knowledge and not on numbers. - Plato

Reply
  • Offline kenjis
    Administrator
  • *******
  • Posts: 3,251
    Threads: 90
    Joined: Oct 2014
    Reputation: 205
#5
11-03-2021, 01:17 AM
(This post was last modified: 11-03-2021, 01:24 AM by kenjis.)

salain Ah! Thanks.
(11-02-2021, 03:57 AM)captain-sensible Wrote: So in summary i'm think i'm following reasonable coding in that I use  CI4 model and what it provides to paginate results. The pagination by the way works perfectly.

It seems this is just false positive of OWASP Zap.
page=1+AND+1%3D1+--+ does nothing to CodeIgniter.
ci-phpunit-test | CodeIgniter Testing Guide | CodeIgniter 3 to 4 Upgrade Helper
Reply
#6
11-04-2021, 09:28 AM
(This post was last modified: 11-04-2021, 09:30 AM by captain-sensible. Edit Reason: edited tags manually )

[quote pid="391196" dateline="1635912699"]

> Probably its a good idea to avoid GET requests as much as possible since , it  involves a url , and somebody can play with that. 


[/quote]

i agree but it seems to be the way that CI4 paginate system works. I once did write a way of doing pagination with POST  requests but forgot how i did it
cheers all zap didn't crash the app ; it was simply the point about it saying there was a ssecurity issue .

I will have a look at includebeer sugestion. i'm going to mark this solved
Reply
  • Offline kenjis
    Administrator
  • *******
  • Posts: 3,251
    Threads: 90
    Joined: Oct 2014
    Reputation: 205
#7
11-05-2021, 06:10 AM

(11-02-2021, 04:38 PM)includebeer Wrote: So I think the best practice would be to type cast the page number to "int" and if the number is <= 0 set the page number to 1. In this particular case, I would blame the framework for not sanitizing the page number since it's a built-in feature of the Pagination library.

CI4 does what you say.
See https://github.com/codeigniter4/CodeIgni...#L415-L417
ci-phpunit-test | CodeIgniter Testing Guide | CodeIgniter 3 to 4 Upgrade Helper
Reply
  • Offline includebeer
    CodeIgniter Team
  • Posts: 1,018
    Threads: 18
    Joined: Oct 2014
    Reputation: 40
#8
11-05-2021, 02:29 PM
(This post was last modified: 11-05-2021, 02:34 PM by includebeer.)

(11-05-2021, 06:10 AM)kenjis Wrote:
(11-02-2021, 04:38 PM)includebeer Wrote: So I think the best practice would be to type cast the page number to "int" and if the number is <= 0 set the page number to 1. In this particular case, I would blame the framework for not sanitizing the page number since it's a built-in feature of the Pagination library.

CI4 does what you say.
See https://github.com/codeigniter4/CodeIgni...#L415-L417
Ha ok! I thought it was odd that CI4 didn't do that already. Thanks for the confirmation that it already do it! It seams the 500 error has nothing to do with this false positive problem...
(11-04-2021, 09:28 AM)captain-sensible Wrote: Probably its a good idea to avoid GET requests as much as possible since , it  involves a url , and somebody can play with that. 
...
i agree but it seems to be the way that CI4 paginate system works. I once did write a way of doing pagination with POST  requests but forgot how i did it

FYI, POST is no more secure than GET. It's just a different way of sending data.
CodeIgniter 4 tutorials (EN/FR) - https://includebeer.com
/*** NO support in private message - Use the forum! ***/
Reply




Theme © iAndrew 2016 - Forum software by © MyBB