how can i remove the flaw..

Question

3.00/5 (2 votes)

See more:

.NET3.0

Hi guys can you please help me to remove the flaw, during security testing i am getting the flaw at
sqlCmd.Parameters.Add(prm);br mode="hold" />from the following code to save the image into sqlserver.

C#

string repname = "";
string rowsid = GlobalClass.rowsID;
if (chk_toref.Checked) { repname = txtCollectorName.Text.Trim(); } else { repname = lblName.Text; }
SaveImgName = "In" + "+" + repname + "+" + GlobalClass.rowsID + ".jpg";
string imgpath = (@"C:");
pictureBox1.Image = Image.FromFile( imgpath+ @"\Signature\" + SaveImgName);
DataConnection data = new DataConnection();
SqlConnection con;
con = data.GetConnection();
con.Open();
SqlCommand sqlCmd = new SqlCommand("update tblinbound set Signature=@img where id=@rowsid",con);
sqlCmd.Parameters.AddWithValue("@rowsid", rowsid);
 String sBLOBFilePath=imgpath+@"\Signature\"+SaveImgName; 
FileStream fsBLOBFile = new FileStream(sBLOBFilePath, FileMode.Open, FileAccess.Read);
Byte[] bytBLOBData = new Byte[fsBLOBFile.Length];
fsBLOBFile.Read(bytBLOBData, 0, bytBLOBData.Length);
fsBLOBFile.Close();
SqlParameter prm = new SqlParameter("@img", System.Data.SqlDbType.VarBinary, bytBLOBData.Length, System.Data.ParameterDirection.Input, false,
0, 0, null, System.Data.DataRowVersion.Current, bytBLOBData);
sqlCmd.Parameters.Add(prm);
sqlCmd.ExecuteNonQuery();
con.Close();

thanks...

Posted 5-May-13 20:29pm

Rajendra Koranga

Updated 5-May-13 20:31pm

Tadit Dash (ତଡିତ୍ କୁମାର ଦାଶ)

v3

Add a Solution

Comments

vijay__p 6-May-13 2:34am

What error you are getting ?

Rajendra Koranga 6-May-13 2:54am

Description Summary
The software allows user input to control or influence paths or file names that are used in filesystem operations.
Extended Description
This could allow an attacker to access or modify system files or other files that are critical to the application.
Path manipulation errors occur when the following two conditions are met:
1. An attacker can specify a path used in an operation on the filesystem.
2. By specifying the resource, the attacker gains a capability that would not otherwise be permitted.
For example, the program may give the attacker the ability to overwrite the specified file or run with a configuration controlled by the attacker.

Sergey Alexandrovich Kryukov 6-May-13 2:40am

What do these words mean: "getting the flaw"? :-)
—SA

Rajendra Koranga 6-May-13 2:54am

Description Summary
The software allows user input to control or influence paths or file names that are used in filesystem operations.
Extended Description
This could allow an attacker to access or modify system files or other files that are critical to the application.
Path manipulation errors occur when the following two conditions are met:
1. An attacker can specify a path used in an operation on the filesystem.
2. By specifying the resource, the attacker gains a capability that would not otherwise be permitted.
For example, the program may give the attacker the ability to overwrite the specified file or run with a configuration controlled by the attacker.

Ian A Davidson 6-May-13 3:57am

Very little knowledge here, but my guess is that you need to do some validation on "bytBLOBData" to ensure that no SQL code can be "injected" by means of the file that the attacker specifies - e.g. to start with, make sure that any special characters are correctly escaped, etc, so that the attacker cannot use things like quotes and brackets to add additional clauses.
But I fear someone who has more experience of SQL with C# would need to explain exactly what is required.
Regards,
Ian.

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Manfred Rudolf Bihy · Answer 1 · 2013-05-05T22:13:00

Solution 1

Hi Rajendra,

you forgot to tell us what tool it was that gave you this "flaw". Or was this something produced from a human code audit?
I found the exact phrase thrown at you by googling it and it turned up this interesting website: Common Weakness Enumeration: CWE-73: External Control of File Name or Path[^].
To see what you can do about each of the "flaws" listed on this site look out for the sections headed "Potential mitigations".
Please do tell what tool was used to do the code analysis (or alternatively if it was done via code review).

Regards,

— Manfred

Posted 5-May-13 22:13pm

Manfred Rudolf Bihy

Comments

Rajendra Koranga 6-May-13 6:37am

Hi Manfred R. Bihy,
Some of our client want how secure my application is. and suggest to test through the website http://www.veracode.com/ and during testing i am getting the error or flaw at that point, I thing i should not save my image in local system. am i right.

Manfred Rudolf Bihy 6-May-13 6:52am

No, the vulnerablity that is being reported here lies in the fact that the users input is used to construct a path from which the image will be read. You can call a method that will clean the users input, so no malicious path manipulations can occurr.

Manfred Rudolf Bihy 6-May-13 6:58am

Please read and observe the list of "Potential Mitigations" I linked to in my answer.
You or your manager will have to decide which path is best for your application.
I looked at the veracode website and am not surprised that they didn't link to the CWE website. This company is trying to sell consulting services, so linking to a site where you can help yourself would be counter productive.

Cheers!

Rajendra Koranga 7-May-13 7:40am

Thanks a lot Manfred R. Bihy.