Re: [SECURITY] DoS attack on backend possible (was: Re:

On Mon, 12 Aug 2002, Florian Weimer wrote:

> Gavin Sherry <swm(at)linuxworld(dot)com(dot)au> writes:
>
> >> Yes, but if you just check that the date given by the user matches the
> >> regular expression "[0-9]+-[0-9]+-[0-9]+", it's still possible to
> >> crash the backend.
>
> > Anyone who is using that regular expression in an attempt to validate a
> > user supplied date is already in trouble.
>
> I don't understand why extremely strict syntax checks are necessary.
> The database has to parse it again anyway, and if you can't rely on
> the database to get this simple parsing right, will it store your
> data? Such a reasoning doesn't seem to be too far-fetched to me

Why attempt to validate the user data at all if you're going to do a bad
job of it? Moreover, 'rely on the database to get this ... right': what
kind of security principle is that? For someone interested in security,
you've just broken the most important principle.

As to your other point -- that this bug in the data/time code actually
*reflects* the quality and reliability of the database itself -- you've
really gone too far. The best software has bugs. The reason that no one is
jumping up and down making releases and giving you a medal is that (1) it
is still questionable as to whether or not this bug exists in 7.2.1 (2) it
does not appear to be exploitable (3) it could only be used to cause a
denial of service by an authorised user (4) it is common practise for
database application developers to validate user input and if they don't
they have bigger problems than a potential DoS on their hands.

Gavin