Can extra, unneeded $_POST keys harm the system?
https://stackoverflow.com/questions/7074736
-
19-12-2020 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Lets imagine for where are inputs like:
<input name="x" />
<input name="y" />
<input name="z" />
Can there be any harm if user manually, for example, by using FireBug creates more inputs with different names?
I'm asking this because my team yesterday created a rule that you need to manually filter $_POST array (for example) to be sure that there are only expected keys in it. I, personally, don't see any harm if there would be extra keys like foo and bar. They would be ignored, right?
Also, we are using Kohana 3.0 and its ORM. Maybe that's the whole point? Maybe ORM would react different for extra, unneeded keys and, maybe, update unexpected columns in database if 'hacker' guesses the 'wrong' key (so column as well)?
What do you think?
Solution
This is a problem in some frameworks like Ruby on Rails and ASP.NET MVC, where it can occur as mass assignment.
Consider a user account model where you have username, password, email and then a boolean flag for whether or not the user is admin. You build a form for allowing self-registration, and because you of course don't want users to allow themself to become admin, you include only the three first fields in your form. However in these frameworks (unless you disable it), any form field with a specific name (regardless of whether or not they came from the actual form) would be assigned. So if the attacker added a field called something like user[admin]=1, that might be assigned by the "magic" backend, and actually have an effect on the data, even though you never explicitely handled that variable.
OTHER TIPS
Erlend is correct in the that if you just chuck $_POST into ORM then you're likely to run into security problems, but he's wrong about Kohana. With Kohana 3.* onwards the ORM method values() takes a 2nd argument which is an array of the expected keys.
So, the following example
$user = ORM::factory('user');
$user->values($_POST, array('username', 'password')
$save->save();
would only use the username and password fields from the array.
If you're using some kind of automation that converts all POST variables into a SQL query there might be something to the claim. I don't know what Kohana does but some frameworks have a save_to_database( $data ) function that picks the variables from $data that have corresponding fields in the table, so in theory the attacker might be able to save more data to the database than they're supposed to by sending extra keys. (Most frameworks also allow passing an array of allowed fields to the function which prevents this kind of attacks.)
