lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <200803200830.43286.fdlist@digitaloffense.net>
Date: Thu, 20 Mar 2008 08:30:43 -0500
From: H D Moore <fdlist@...italoffense.net>
To: full-disclosure@...ts.grok.org.uk
Subject: When standards attack...

The WebKit folks just added client-side SQL database support:
 
http://webkit.org/blog/126/webkit-does-html5-client-side-database-storage/
http://glazkov.com/blog/html5-gears-wrapper/

In addition to all of the existing attacks through a web browser, we can 
now take into account SQLite vulnerabilities and client-side SQL 
injection issues as well.

>>From the security section of the specification:
http://www.whatwg.org/specs/web-apps/current-work/multipage/section-sql.html#sql

"""
[ 4.11.8.1. User agents ]

User agent implementors are strongly encouraged to audit all their 
supported SQL statements for security implications. For example, LOAD 
DATA INFILE is likely to pose security risks and there is little reason 
to support it.

In general, it is recommended that user agents not support features that 
control how databases are stored on disk. For example, there is little 
reason to allow Web authors to control the character encoding used in the 
disk representation of the data, as all data in ECMAScript is implicitly 
UTF-16.

[ 4.11.8.2. SQL injection ]
Authors are strongly recommended to make use of the ? placeholder feature 
of the executeSql() method, and to never construct SQL statements on the 
fly. 
"""

...because letting developers choose to bind their query parameters has 
worked so well before ;-)

-HD

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ