Connection String Parameter Pollution
ID |
php.connection_string_parameter_pollution |
Severity |
critical |
Resource |
Resource Management |
Language |
Php |
Tags |
CWE:15, NIST.SP.800-53, OWASP:2021:A5, PCI-DSS:6.5.1 |
Rationale
Database connectivity typically involves constructing a connection string – a snippet of text encoding the details of the connection to the database, such as hostname, database name, and credentials.
When user input is improperly included in a connection string, it can lead to parameter pollution. This means that the attacker can inject additional parameters or override existing ones, potentially accessing databases they shouldn’t or altering their privileges.
Below is a vulnerable PHP code snippet demonstrating this issue:
<?php
$dbname = $_GET['dbname']; // Untrusted user input
$connection_string = "mysql:host=localhost;dbname=$dbname";
try {
$db = new PDO($connection_string, "username", "password");
echo "Connected successfully";
} catch (PDOException $e) {
echo "Connection failed: " . $e->getMessage();
}
?>In this code example, the database name is obtained from a user-controlled source (GET parameter) and directly incorporated into the connection string without any validation or sanitization. An attacker could manipulate the dbname parameter to inject malicious SQL or change connection parameters, potentially leading to unauthorized database access or execution of arbitrary SQL commands.
Remediation
Mitigating connection string parameter pollution involves several key practices:
-
Use Parameter Objects: Avoid concatenating user input into connection strings. Instead, use APIs or configurations that separate parameters from the connection logic.
-
Validate and Sanitize User Input: If user input must be incorporated into the connection process, ensure it is strictly validated and sanitized according to expected patterns.
-
Environment Configuration: Use environment variables or configuration files to manage sensitive credential information away from user modification capabilities.
Configuration
The detector has the following configurable parameters:
-
sources, that indicates the source kinds to check. -
neutralizations, that indicates the neutralization kinds to check.
Unless you need to change the default behavior, you typically do not need to configure this detector.
References
-
CWE-15 : External Control of System or Configuration Setting.
-
Connection String Parameter Pollution Attacks, by C. Alonso, Blackhat DC 2010.
-
OWASP Top 10 2021 - A03 : Injection.