Forum OpenACS Development: Security breach in util_memoize "command $arg"

Hi!

We have replaced _all_ util_memoize commands with double quotes:

- return [util_memoize "package_object_view_helper -start_with $start_with $object_type"]

with a version with "list":

- return [util_memoize [list package_object_view_helper -start_with $start_with $object_type]]

in the entire code of ]project-open[. Why?

It's like SQL injection, somebody could fiddle with $start_with or $object_type and replace object_type for example with:

- "acs_object; ad_user_login 123; return """

and therefore gain system administrator rights.

This is like colon vs. dollar variables in SQLs. They are also not strictly necessary if all ad_page_contracts are well designed.

The issue came up in a very intensive security audit. These guys just found one of these cases in the "/admin" folder of one package, so there is no impact (the Admin can do everything anyway...). But it was still a nice wake-up call.

The OpenACS Core contains some 20 or so of unsafe util_memoize calls, so it's not much work to find and fix.

Cheers!
Frank

Collapse
Posted by Gustaf Neumann on
Hi Frank,

many thanks for this catch! The problem might happen with all non-sanitized variables passed to a quoted util_memoize (which should not happen). This problem might as well become a semantic issue, since the word boundaries are lost though the double quotes, when variables are substituted.

The version in the oacs-5-8 branch is now fixed.

-g