lpalgarvio / mod-auth-external

Automatically exported from code.google.com/p/mod-auth-external
0 stars 0 forks source link

passing data as base64 to prevent injection #17

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
Hello,

I think it would be a nice feature (or make it default) to be able to pass the 
data in base64 to the external authentication program.

Yesterday i wrote some little script to check username/password with SQL and 
thought: "oh, here you have to be very carefully.."

But mod-auth-external makes it very easy to implement an own script and I think 
not everyone would realize that you have to check the input..

esco

Original issue reported on code.google.com by escor...@gmx.de on 17 Dec 2013 at 9:59

GoogleCodeExporter commented 9 years ago
I don't really understand this.

What would be the advantage of encoding the data sent by mod_authnz_external to 
the external authenticator in base64?

Clearly it would be a mistake for your authenticator to insert the login name 
that was passed to it into an SQL query without quoting it properly. But that 
just takes a standard SQL quoting function. I don't see how base64 encoding 
would help. Unless your database actually had user names base64 encoded, you'd 
just have to decode the input before putting it into the query, and then you'd 
still be in just as much trouble as ever if you didn't remember to do SQL 
quoting on it. And the whole business would be entirely useless if you were 
authenticating out of anything other than an SQL database.

So, I don't really see how base64 encoding would solve much of anything.

I have added some warnings about SQL injection into the notes on writing 
authenticators. It's probably a common enough issue to be worth mentioning 
there. But there really isn't any way to make mod_authnz_external 100% safe.

Original comment by j...@unixpapa.com on 15 Jan 2014 at 2:31

GoogleCodeExporter commented 9 years ago
Hello,

a warning in the documentation should be ok, too. Thanks for that!

I used base64 because for using PostgreSQL with bash I didn't found any 
"standard SQL quoting function" and thought that using it in generally would 
make the design more secure.

So mod-auth-external wouldn't pass any data that that could inject something 
directly. And because base64 is very widely used you shouldn't have to decode 
it.

example (yes, I know for a big user table you would need the login as base64 in 
the table with an index to get good performance, just an example..):
"SELECT password FROM user WHERE 
encode(convert_to(lower(login),'UTF8'),'base64') = '$USER_BASE64'"

esco

Original comment by escor...@gmx.de on 15 Jan 2014 at 9:40