Dropdown box security hole

babochan

Hi,

My client pointed out that I have a security hole on following code, but I do not understand it. Since I can not contact with my client directly, I can not ask him what did he mean.

Does anybody have an idea?

           <select name="t">
            <OPTION value="" selected >please select</OPTION>

<OPTION value="01" >topic1</OPTION>
<OPTION value="02" >topic2</OPTION>
<OPTION value="03" >topic3</OPTION>
<OPTION value="04" >topic4</OPTION>
<OPTION value="99" >topic5</OPTION>
</select>

Weedpacket

There in particular? I mean, someone could fake a form submission with any value they want for t, but that's true of any form field on any form. You'd be checking things like that anyway, wouldn't you?

I guess you'd have to wait until your client is available. Maybe it depends on what's being listed and what it's going to be used for, but still...

babochan

Hi,

Thank you for the reply.

I think that is it. I did a lot of research, and I can not find another answer. I was confused because I did error checking, and it will deny invalide value. So I do not understand why my client told me that I have a serious security hole...???

I will ask him again.

Weedpacket

I did think of one more possibility - that the number being used as a value is supposed to be confidential - but that sounds unlikely.

If it is, then it is possible to have the numbers generated at random for each session, and keep a table mapping random numbers to real numbers on the server (in a session variable). I wouldn't worry about that unless it turns out to be a problem, though 🙂

inthestars

I think the client means that the form can be submitted from anywhere online. You'll need to make sure that the form is submitted from the site; i.e. results can only come from a particular URL and no other.

babochan

Hi, everybody

Thank you for your reply.

Since this page is search page, is it important to check where it come from? If user enter a value which doesn't exist in DB, then it will return nothing. So, I do not know why my client is so nervous.

I do not know how far should I care about the security....
Like mapping OPTION value .... does anybody actually do that?

I want to know what other people did, and what I missed....

Weedpacket

Originally posted by inthestars
I think the client means that the form can be submitted from anywhere online. You'll need to make sure that the form is submitted from the site; i.e. results can only come from a particular URL and no other.

Well, any reasonable user authentication would make that moot, since only authenticated users would be able to make submissions anyway, wherever their requests come from.
I wouldn't suggest checking $_SERVER['HTTP_REFERER'] to discover the URL of the page that submitted the form, since the browser is under no obligation to provide that information.

Originally posted by babochan
Like mapping OPTION value ... does anybody actually do that?

Well, I've never found a need to - generally, the number used in the OPTION field had no meaning beyond referring to a primary key in a db table being used to maintain that list. If it could potentially be used elsewhere by the user, in a situation where they would otherwise not have permission, then that might be construed as a risk (kind of analogous to using the same password for everything, and then giving it to someone so that they can check your email for you). In that case, a dynamic remapping wouldn't be needed, just a unique identifier that can be kept in the option table.

But really, it's just an idea that occurred to me as an instance of the first corollary to the sixth of the Twelve Networking Truths.