In Web development the prase "Eval
is evil" is used frequently, mainly in scripting languages like
PHP, where this little function has a very bad reputation - for a very
good reason. The evilness of Eval has its root cause in the usage of unchecked
user input as part of the string to be evaluated. By crafting a special
input a malicious user can execute arbitrary code on the server. This kind
of code injection attacks are well known and have happened in many environments
and languages in the past.
However, many Lotus Notes and Domino
developers don't see any trouble in using the LotusScript function Evaluate
(also available in Java), because the formula language seems to be harmless.
However, this impression doesn't reflect the truth, even the restrictions
in the Web environment don't make this secure.
A common mistake Domino Web developers
make is using Evaluate and @URLDecode to decode data send by a Web
browser without any checks to validate the input. Using Evaluate to url-decode
data is the easiest way, because there is no url-encoding or url-decoding
function available in LotusScript.
The problem is that missing checks of
the input can lead to unfiltered code being inserted into evaluate string
and executed either with the user's rights or even worse with server's
rights. Normally the inserted string is clean and the code works as expected.
In case the string contains some metacharacters by accident, execution
usually ends in an error, because the evaluate string became invalid. However
in the worst case a malicious person could forge his input in a way, which
gives him control over the code being executed. This obviously can be used
for various manipulations. For example, it is pretty easy to insert the
@MailSend command and turn the Domino Web server into a spam spreading
beast. If Evaluate is called with a Notes document as parameter, this document
could be read and attached to the email without much effort, too.
Easy, but unsecure:
Public
Function
URLEncode(value
As
String)
As
String
Dim
result As
Variant
'
not good:
'
-------------
'
value is passed unchecked into the evaluate string
result =
Evaluate(|@URLEncode("UTF-8";
"| +
value +
|")|)
URLEncode =
result(0)
End
Function
To avoid code injection, metacharacters
like backslash \ and double-quote " should always be escaped. Also,
the fact that in formula language the curly brackets can be used as string
delimiters like the quote character, should be taken in to accout. These
should be escaped, too, if needed.
Better:
Public
Function
URLEncode(value
As
String)
As
String
Dim
result As
Variant
Dim
tmp As
String
'
better:
'
---------
'
at least metacharakters like backslash and quote should be escaped
tmp =
Replace(value,
|\|,
|\\|)
tmp =
Replace(tmp,
|"|,
|\"|)
'
and pass the now filtered string into evaluate
result =
Evaluate(|@URLEncode("UTF-8";
"| +
tmp +
|")|)
URLEncode =
result(0)
End
Function
The bad thing about this is that code
injected in this way is usually executed without any traces, so it an be
used to send lots of spam emails at least until the server get listed on
a few blacklists and the complete email transfer just stops working.
The best solution is of course to just
don't use Evaluate in this way, especially in Web applications. However,
using Evaluate for simple formulas like @WebDBName is rather uncritical,
since there is usually no way that any user inputs get its way into the
the formula.
After an examination of a few Domino-based
products, this sort of vulnerability seems to be pretty common. I highly
recommend you to audit your Notes and Domino applications, especially those
reachable over the Web. Keep in mind that not only user input is a risk,
but HTTP headers like user-agent can easily be manipulated, too.