Publishing CCW Permit Lists
Seems that down in Tennesse a local paper decided to publish a searchable database of CCW permit holders in their fair state.
Naturally, SayUncle was on it like white on rice and the list has been taken offline.
I alluded in a comment on his blog that there was something hinkey with their system, so I’ll address that now.
The first search I ran on it (just hitting submit with the defaults) came back rather slowly. I didn’t pay much attention, just filed that away and considered it proof enough that the system was a) real and b) functional.
An hour or so later something bubbled up in my head and I went back to it. I check the URL and it’s written in PHP. My thinking was pretty much: “Slow… written in PHP… by some guy at a newspaper.. I betcha…”
So I stuck in the ' character in the search box for last name and hit submit.
Yep, it blew up with your classic MySQL syntax error regarding invalid SQL. We got ourselves a SQL injection attack vector!
Now, it’s hard to explain this one to a non-IT crowd, but I’ll try.
The ' character has a special place in the land of SQL and it delimits your strings. If you want to search for somebody with the last name of O’Brian then the string you’re searching on should look like this: 'O\'Brian and not 'O'Brian'
Once the programmer makes a mistake as severe as not escaping the special characters in SQL all sorts of possibilities become possible. Just being broken by design isn’t even the start of things. You now have a vector into the system to read any and all data available in the database that the webserver is logged in as.
That means that if the system actually had address data in it, but wasn’t displaying it, it’d take an enterprising person about 20-30 minutes to snag it all, and that’s being generous.
Worse, if the webserver is logged in as a user with credentials to modify the data the we can just start inserting our own records into the DB simply by placing some creative input into that silly little last name box. It’d look something like this:
';INSERT INTO ccwholders (first_name, last_name, middle_name, city) VALUES ('George', 'Bush', 'Dubya', 'Washington DC');--
If that were possible, and in my professional opinion it quite likely was, then any random yahoo out on the internet that had sufficient knowledge of such attack vectors could have gamed the entire database.
So, not only was the publishing of their database irresponsible in my personal opinion, it was highly irreponsible in my professional opinion as they didn’t have an application at the front of it that was remotely secure. There may have been protections to keep the data from being modified but in experience that has never been the case.
