While trying to signon at a website, I got the following PHP code
back. I suppose that their apache was mistakenly returning php text
instead of executing it.
<?php
if (!defined("INCL UDED"))
include "include.ph p3";
$sql = mysql_query("se lect * from registrants where Account_Usernam e='$username' AND Account_Passwor d='$password'") ;
if (@mysql_num_row s($sql) == 0) {
include "registrationph p.html";
} else {
include "upcomingregist er.php3";
}
?>
I am not a PHP expert (I do mod_perl), but it would seem that this
code is likely to be a good candidate for SQL injection attack. Is
that the case? If so, I would write to them.
Fo instance, I could supply a password between >>and <<<:
>>>' or 1=1 or a = 'a<<<
and sign on as any known to me username (these are not hard to find
out, this is an auctioneer who displays high bidder id)
i 9 1256
Ignoramus20689 wrote:
While trying to signon at a website, I got the following PHP code
back. I suppose that their apache was mistakenly returning php text
instead of executing it.
<?php
if (!defined("INCL UDED"))
include "include.ph p3";
$sql = mysql_query("se lect * from registrants where Account_Usernam e='$username' AND Account_Passwor d='$password'") ;
if (@mysql_num_row s($sql) == 0) {
include "registrationph p.html";
} else {
include "upcomingregist er.php3";
}
?>
I am not a PHP expert (I do mod_perl), but it would seem that this
code is likely to be a good candidate for SQL injection attack. Is
that the case? If so, I would write to them.
Fo instance, I could supply a password between >>and <<<:
>>>>' or 1=1 or a = 'a<<<
and sign on as any known to me username (these are not hard to find
out, this is an auctioneer who displays high bidder id)
i
It depends on what validation they've done on the userid and password.
There may be some in the included file, for instance.
Or, they could be running with register_global s being on and doing no
validation, in which case this would be a serious security hole.
But the code's not being executed anyway, which means they have other
problems, also :-)
--
=============== ===
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attgl obal.net
=============== ===
Ignoramus20689 wrote:
I am not a PHP expert (I do mod_perl), but it would seem that this
code is likely to be a good candidate for SQL injection attack.
Possibly, unless $username and $password have been filtered already
using mysql_real_esca pe_string
( http://www.php.net/manual/en/functio...ape-string.php) or
something like it. We don't see the code (presumably in include.php3)
that gets these values.
I'd also be worried because it looks like they are storing passwords in
clear text. They should store a hash of the password and compare the
hash of what the user enters to what's stored in the database.
Also, are they forcing this page to connect via HTTPS? Otherwise,
passwords are being sent over the net in clear text.
To say nothing of the fact that they have allowed PHP code to be
returned to the browser.
Regards,
Bill K.
Ignoramus20689 wrote:
I am not a PHP expert (I do mod_perl), but it would seem that this
code is likely to be a good candidate for SQL injection attack. Is
that the case? If so, I would write to them.
That's a definitely a SQL injection vulnerability, as the code is
written for PHP3, where there is no register_global s option (i.e. it's
always on). Whether it can be exploited is another matter. I don't
think you can execute multiple statement through mysql_query().
On Tue, 22 Aug 2006 11:56:19 -0400, Jerry Stuckle <js*******@attg lobal.netwrote:
Ignoramus20689 wrote:
>While trying to signon at a website, I got the following PHP code back. I suppose that their apache was mistakenly returning php text instead of executing it.
<?php if (!defined("INCL UDED")) include "include.ph p3";
$sql = mysql_query("se lect * from registrants where Account_Usernam e='$username' AND Account_Passwor d='$password'") ; if (@mysql_num_row s($sql) == 0) { include "registrationph p.html"; } else { include "upcomingregist er.php3"; }
?>
I am not a PHP expert (I do mod_perl), but it would seem that this code is likely to be a good candidate for SQL injection attack. Is that the case? If so, I would write to them.
Fo instance, I could supply a password between >>and <<<:
>>>>>' or 1=1 or a = 'a<<<
and sign on as any known to me username (these are not hard to find out, this is an auctioneer who displays high bidder id)
i
It depends on what validation they've done on the userid and password.
There may be some in the included file, for instance.
true
Or, they could be running with register_global s being on and doing no
validation, in which case this would be a serious security hole.
I do not know what typically may be in that include file, but I have a
feeling that possibly they simply sump the form contents into
variables.
But the code's not being executed anyway, which means they have other
problems, also :-)
Yeah. :")
On Tue, 22 Aug 2006 08:50:44 -0700, Bill Karwin <bi**@karwin.co mwrote:
Ignoramus20689 wrote:
>I am not a PHP expert (I do mod_perl), but it would seem that this code is likely to be a good candidate for SQL injection attack.
Possibly, unless $username and $password have been filtered already
using mysql_real_esca pe_string
(http://www.php.net/manual/en/functio...ape-string.php) or
something like it. We don't see the code (presumably in include.php3)
that gets these values.
I'd also be worried because it looks like they are storing passwords in
clear text. They should store a hash of the password and compare the
hash of what the user enters to what's stored in the database.
Also true. Possibly useful for "I lost my password" situations though,
though there are better ways to handle that.
Also, are they forcing this page to connect via HTTPS? Otherwise,
passwords are being sent over the net in clear text.
That is in fact true, the protocol is http://, not https://.
To say nothing of the fact that they have allowed PHP code to be
returned to the browser.
That, I think, is just some stupid misconfiguratio n. The other two
issues are those of design.
I hope that my post is not wrongly misinterpreted as an attack on php,
as same mistakes are done with perl as well. (though use of
pre-prepared statements could help in the case of perl, but dumb
programmers would not be likely to use that feature).
I am not sure if I should bother writing to them. It is an auction
house doing industrial liquidations.
i
Ignoramus20689 wrote:
>I'd also be worried because it looks like they are storing passwords in clear text. They should store a hash of the password and compare the hash of what the user enters to what's stored in the database.
Also true. Possibly useful for "I lost my password" situations though,
though there are better ways to handle that.
Right; the better way is to reset the password to something new and
random if a user forgets it. That way one doesn't need to keep it
stored in clear text.
I hope that my post is not wrongly misinterpreted as an attack on php,
as same mistakes are done with perl as well.
Yes, and any other language too! That includes Java, and Ruby, so
zealots of those languages need not respond claiming that their language
solves everything! ;-)
(though use of
pre-prepared statements could help in the case of perl, but dumb
programmers would not be likely to use that feature).
PHP4's mysql interface does not support prepared statements. PHP5
supports prepared statements through the new mysqli interface. So it's
not necessarily that the programmers are dumb. They may be constrained
to use PHP4. Many hosting providers do not support a PHP5 environment.
For the benefit of readers who aren't familiar with prepared statements
-- these allow you to send values to the SQL query via parameters,
instead of interpolating them into the SQL statement string. Using
statement parameters in this way reduces vulnerability to SQL injection.
And to Chung Leong: right, PHP5's mysqli supports executing multiple
statements, while the older mysqli interface does not.
Anyway, whether to email the people who run the site... tough call. It
could fall into the category of "who asked you?" but on the other hand,
spreading awareness of web security is a good thing. You could tell
them they've lost a potential customer -- you aren't going to use their
service because it's obviously not trustworthy!
Regards,
Bill K.
Jerry Stuckle wrote:
Or, they could be running with register_global s being on and doing no
validation, in which case this would be a serious security hole.
If you assume that register_global s is on, then why not assume that
magic_quotes_gp c is on too?
--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact
Ignoramus20689 wrote:
I hope that my post is not wrongly misinterpreted as an attack on php,
as same mistakes are done with perl as well. (though use of
pre-prepared statements could help in the case of perl, but dumb
programmers would not be likely to use that feature).
PHP does support prepared statements, but not in the MySQL module. It's in
the "mysqli" (MySQL Improved) module, PostgreSQL, and a handful of other
database modules though.
Also, the PDO module (Portable Data Objects -- think DBI for PHP) supports
prepared statements, and even emulates them for databases that don't
natively support them.
--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact
Chung Leong wrote:
Ignoramus20689 wrote:
I am not a PHP expert (I do mod_perl), but it would seem that this
code is likely to be a good candidate for SQL injection attack. Is
that the case? If so, I would write to them.
That's a definitely a SQL injection vulnerability, as the code is
written for PHP3, where there is no register_global s option (i.e. it's
always on). Whether it can be exploited is another matter. I don't
think you can execute multiple statement through mysql_query().
IIRC, you can in some obscure way, but I forget. I think it was later
fixed in later release of mysql.
With the code, though, you could easily make the password line be
password='' or '1'='1', thus being able to log in as anyone (a parent
post pointed this out as well) This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: grahamd |
last post by:
Who are the appropriate people to report security problems to
in respect of a module included with the Python distribution?
I don't feel it appropriate to be reporting it on general mailing
lists.
|
by: TC |
last post by:
Hello All,
I have recently had the pleasure of installing Norton Internet Security 2005
and finding that I can no longer create or open a web-based application in
Visual Studio .Net. The IDE just freezes. I tried fiddling with the
configuration settings of the Norton Firewall but was not successful. I
tried launching IIS from the Control Panel and it would not launch.
I saw one article in Groups.Google from a previous post that the...
|
by: Ken Cox [Microsoft MVP] |
last post by:
MS has posted this here:
http://www.asp.net/faq/ms03-32-issue.aspx
Fix for: 'Server Application Unavailable' Error after Applying Security Update
for IE
-------------------------------------------------------------------------------
-
|
by: Earl Teigrob |
last post by:
Background:
When I create a ASP.NET control (User or custom), it often requires security to be set for certain functionality with the control. For example, a news release user control that is comprised of a DataGrid may have separate permissions for adding, deleting and updating a news item.
Problem
Up until now, I have been implementing security directly inside the control. I will test directly against the security model to see if...
|
by: cdlipfert |
last post by:
Our intranet is running under windows integrated security. We have
domain users that want to access our intranet site via ssl vpn. SSL
VPN can not authenticate against services that run under windows
integrated security. In order to get around this issue it seems that we
would need to create a login page on a separate site that runs under
anonymous security. Then pass the users credentials to the site
running under integrated security. ...
| |
by: Charles Leonard |
last post by:
I am having yet another issue with Windows Server 2003. This time, the web
service (a file import web service) appears to run except for one odd
message: "ActiveX component can't create object". There are no other
statements to indicate what object cannot be created. Otherwise, everything
on the test Windows Server 2003 works fine—all import data updates correctly.
Unfortunately, my normal development environment is not Windows...
|
by: Jay C. |
last post by:
Jay
3 Jan. 11:38 Optionen anzeigen
Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
Von: "Jay" <p.brunm...@nusurf.at> - Nachrichten dieses Autors suchen
Datum: 3 Jan 2006 02:38:30 -0800
Lokal: Di 3 Jan. 2006 11:38
Betreff: Referenced security token could not be retrieved
Antworten | Antwort an Autor | Weiterleiten | Drucken | Einzelne Nachricht |
Original anzeigen | Entfernen | Missbrauch melden
|
by: Richard MSL |
last post by:
I am having problems working with .net security. I have been attempting to
use the Microsoft .Net Framework 2.0 Configuration tool (version
2.0.50727.42), but it won't work for me. I have a simple test application
that works, when I run to Manage Applications - View Assembly Dependencies, I
get an error that says:
Unfortunately, the .NET Framework Configuration tool cannot show this list
of assembly dependencies for this application due...
|
by: WebServiceSecurity |
last post by:
The issue involves the following technologies: -
1. .NET 2.0 Framework
2. WSE2.0 (WS-Security)
3. X.509 certificates
4. BEA Weblogic 8.1.5
|
by: Anthony Baxter |
last post by:
SECURITY ADVISORY
Buffer overrun in repr() for UCS-4 encoded unicode strings
http://www.python.org/news/security/PSF-2006-001/
Advisory ID: PSF-2006-001
Issue Date: October 12, 2006
Product: Python
Versions: 2.2, 2.3, 2.4 prior to 2.4.4, wide unicode (UCS-4) builds only
CVE Names: CAN-2006-4980
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
| |
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it.
First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed.
This is as boiled down as I can make it.
Here is my compilation command:
g++-12 -std=c++20 -Wnarrowing bit_field.cpp
Here is the code in...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules.
He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms.
Adolph will...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
| |
by: muto222 |
last post by:
How can i add a mobile payment intergratation into php mysql website.
|
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |