[LINK] Out damn hyphen, out.

[Craig Sanders]

On Wed, Apr 20, 2005 at 07:29:07PM +1000, Bernard Robertson-Dunn wrote:
> The strange thing is that it objects to the hyphen in my name. This is
> the only field in the whole banking site where this occurs. I have asked
> the bank and their reply is:
> 
> "We advise that the reason behind this is security based and relates to
> the way that non alpha numeric characters may be programmed to behave."
> 
> I am very suspicious of this response as it is the only time I have ever
> come across this request (ie not to use the hyphen in my name). I
> suspect that they are using the great god "security" as a smokescreen
> for some sloppy programming.
> 
> Anyone care to offer an opinion?

hyphens have never been any kind of a security problem as far as i know,
but there are some characters which can be used to compromise web-site
security IF the CGI is sloppily programmed and/or IF the CGI passes them
on to another program without stripping or processing them.

for example:

1. the semicolon character ";" is used by the unix shell to separate
commands. two commands separated by semi-colons are interpreted exactly
the same as if they were entered as two separate commands. so, if you
can find a web site that has a CGI which takes input from a web form and
passes it unprocessed to a shell, then you can make that script run any
arbitrary command.

2. semicolons are also used to separate commands in most SQL database
servers. if a database search CGI doesn't check and sanitise its input,
you might be able to make it run any arbitrary SQL command (e.g. "DELETE
* FROM table" or "UPDATE products SET price = 0").  this is, unfortunately, a
very common mistake for web developers to make, especially ones that give
themselves grandiose titles like Database Administrator just because they
got a perl script to run an SQL command.

3. apostrophes are used as end of string markers in shell and SQL and
other programs. the potential problem here is that if you can add
an extra apostrophe, you can set the end of a string and then use a
semi-colon to start a new shell or sql command.

there are several other characters which are potential security
problems. the WWW Security FAQ says:

    You should try to find ways not to open a shell. In the rare cases
    when you have no choice, you should always scan the arguments
    for shell metacharacters and remove them. The list of shell
    metacharacters is extensive:

         &;`'\"|*?~<>^()[]{}$\n\r

("\n" and "\r" are newline and carriage-return respectively).


good programmers write their software so that it can't be exploited with
these tricks (e.g. using placeholders in SQL statements rather than
constructing an SQL command string direct from the input; never passing
input direct to another program without processing it in some way to
"untaint" it; and/or "escaping" the meta-characters by prefixing them
with another character, usually a backslash, that disables the meta-ness
of the character. e.g. search for ";" and replace with "\;").

even well-designed and secure sites will routinely strip these
characters, as a defensive-programming measure, just in case they made a
mistake somewhere (all software has bugs, that's inevitable...but with
appropriately defensive programming it is possible to avoid situations
where the bug is triggered).

the "standard" way of doing this is to have a set of "safe" characters and
strip everything from the input which is not in that set.  my guess is that
your bank has defined an overly restrictive set of "safe" chars.

in theory, it's possible that hypens could be a problem with some external
program, but i doubt it.  i've never heard of anything that treats hyphens as
having any special or dangerous meaning.


for more info, see The World Wide Web Security FAQ at
http://www.w3.org/Security/Faq/wwwsf4.html , especially "Q6: I'm developing
custom CGI scripts. What unsafe practices should I avoid?"


craig

-- 
craig sanders <cas at taz.net.au>           (part time cyborg)