lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index] 

On Wed, May 28, 2014 at 01:19:10PM +0200, Mateusz Czaplinski wrote:

> > Just seen on FD mailing list..
> > ----
> > LUA WEB APPLICATION SECURITY VULNERABILITIES
> > http://lists.openwall.net/full-disclosure/2014/05/27/1
> >
> 
> Apart from the generic rule "sanitize form input server-side before using
> it for anything", just applied to several specific scenarios (i.e.
> "sanitize HTML to avoid XSS", "sanitize SQL to avoid SQL injections",
> "sanitize before passing to loadstring()", "sanitize filenames", "sanitize
> input to os.system()"), the only two other things, somewhat interesting to
> me at least, seemed to be related to specfic modules:

I didn't read it, i just used lua-l as bookmark ;)

>   1. CGILua: "weak (easily guessable) session IDs" - more details at:
> http://www.syhunt.com/?n=Advisories.Cgilua-weaksessionid

Yes, was posted on FD some time ago, and i also noted it when i read
cgilua code last year (we should assume it's known since long time, it
is very easy to spot)

>   2. ngx_lua, mod_lua, CGILua: "CRLF injection" - overwriting HTTP headers
> by embedding %0d%0a in GET parameter values; this seems actually kinda
> weakness in the modules, although I'm not sure to what extent important
> headers can be overridden (such as e.g. HTTP_REFERER?)

https://en.wikipedia.org/wiki/HTTP_header_injection
https://www.owasp.org/index.php/HTTP_Response_Splitting
https://www.owasp.org/index.php/HTTP_Request_Smuggling (in some cases)

or for performing xss attacks using the "data:.." trick or for setting
arbitrary cookies on a third party browser, etc.

ciao,
I.