Suspekt taught me about column truncation vulnerability.
This depends on a combination of relaxed comparison methods in the database and incomplete user data validation.
Owing to relaxed comparison within the database, a username 'admin ' would be equated with username 'admin' in the database.
If the username field has a maximum length of 10 characters and user data containing 11 characters is not treated as invalid, there could be a problem.
The username 'admin x' will not currently exist when a SELECT * WHERE username = 'admin x' is checked. The database will then accept the slightly long username and dutifully truncate it from 'admin x' to 'admin '.
You see where this is going ?
Friday, August 22, 2008
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment