Beefy Boxes and Bandwidth Generously Provided by pair Networks RobOMonk
The stupid question is the question not asked
 
PerlMonks  

Need help figure out CSRF vulnerability on this cgi code

by Anonymous Monk
on Mar 31, 2012 at 18:40 UTC ( #962792=perlquestion: print w/ replies, xml ) Need Help??
Anonymous Monk has asked for the wisdom of the Perl Monks concerning the following question:

Hello, I'm new to Perl....& this web application built on perl-cgi(~10 yrs old app) Recently the Rational webAppscan that scanned the URL ,reported several(20) cgi modules for Cross-Site Request Forgery (CSRF). I didnt see anything obvious...I was hoping someone could point out the code that is causing the vulnerability Below is the code (both cgi & the template)of one of the module *****************************sched_history.tmpl************************************************************************
<TMPL_INCLUDE NAME="./icon_top.tmpl"> <!--webbot bot="Include" endspan i-checksum="28680" --> <p class="page-header">Distribution Schedule Audit Log</p> <hr class="header-line"> <br> <form name=schedhistform method=POST action="/gdr/cgi-bin/user_detail. +cgi"> <input type=hidden name=user_id value="<tmpl_var name=user_id>"> <input type=hidden name=sched_effective_dt> <table class="data-table"> <caption class="info-table-caption">Distribution ID: <TMPL_VAR NAME=US +ER_ID></caption> <tr class="info-table-header"> <td>Effective Date</td> <td>Status</td> <td>Updated By</td> <td>Description</td> </tr> <TMPL_LOOP NAME=sched_history_list> <tr class="<tmpl_if name=__ODD__>shaded<tmpl_else>unshaded</tmpl_if>" +> <td><TMPL_VAR NAME=SCHED_EFFECTIVE_DT></td> <td><TMPL_VAR NAME=STATUS_CD></td> <td><TMPL_VAR NAME=SCHED_UPD_USER_ID></td> <td><TMPL_VAR NAME=DESC></td> </tr> </TMPL_LOOP> </table> </form> <TMPL_INCLUDE NAME="./icon_bottom.tmpl">
*********************************sched_history.cgi********************************************************************
use HTML::Template; use Provider::CGI; use strict; use Apache::DBI; use DBI; use coplib; use Provider::LogAgent; use Provider::Constants; my $cgi = Provider::CGI->new(); # Store the user information in the session object my %session; getSession( \%session ); print $cgi->header( -charset => q{utf-8} ); my $user_id=$cgi->param( "user_id" ); ## Common Log my $logger = new Provider::LogAgent(\%session); my $event = $Provider::Constants::ADMIN_INFO; my $entity = "$user_id"; my $entityType = "distribution_id"; my $additional = {"action"=>$Provider::Constants::COMMON_LOG_ACCESS}; $logger->store_message($event, $entity, $entityType, %$additional); $user_id =~ s/^\s+//; $user_id =~ s/\s+$//; $user_id = uc($user_id); my $dbh = cpDBConnect( \%session ); my $row_data; my $sql_stmt; my $template = new_template( "sched_history.tmpl", "Distribution Sched +ule History", \%session); $sql_stmt = "SELECT to_char( DSD.EFF_DT, 'DD-MON-YYYY HH24:MI:SS') AS +SCHED_EFFECTIVE_DT, " . "DSD.LAST_UPD_USER_ID AS SCHED_UPD_USER_ID, " . "DSD.STAT_CD AS STATUS_CD, " . "DSD.DESC_TXT AS DESC_TXT " . "FROM DIST_SCHED_DETAIL DSD , DIST_SCHED DS " . "WHERE DSD.USER_ID=? AND DS.USER_ID = DSD.USER_ID "; my $sth = $dbh->prepare($sql_stmt); $sth->execute( $user_id ); my @loop_data; while ( $row_data = $sth->fetchrow_hashref ) { push(@loop_data, $row_data); } $sth->finish; $template->param( sched_history_list => \@loop_data); $template->param( USER_ID => $user_id ); #$dbh->disconnect; print $template->output; END { untie %session; undef %session; }

Comment on Need help figure out CSRF vulnerability on this cgi code
Select or Download Code
Re: Need help figure out CSRF vulnerability on this cgi code
by Corion (Pope) on Mar 31, 2012 at 18:45 UTC

    Wherever you take in input from the internet, and output it directly as HTML, you have a CSRF. As you output all your variables without escaping, all your variables are CSRF opportunities. See HTML::Template for escaping. Basically, add add ESCAPE=HTML to all variables in your template.

    Also see Is your web application really secure? ("CSRF").

      Wherever you take in input from the internet, and output it directly as HTML, you have a CSRF.

      you also have XSS or Cross-site scripting

      Wherever you take in input from the internet, and output it directly as HTML, you have a CSRF.
      i'd rather say, you have XSS, and CSRF is an effect of this, and by eliminating XSS you are not safe from CSRF
      Basically, add add ESCAPE=HTML to all variables in your template.
      or better, use default_escape 'HTML', so you can't forget to do it in the template.
      Thank you all.... I have one other security issue i need your help on...posting as a new thread

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://962792]
Approved by planetscape
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others perusing the Monastery: (7)
As of 2014-04-18 06:18 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    April first is:







    Results (462 votes), past polls