While trying to signon at a website, I got the following PHP code
back. I suppose that their apache was mistakenly returning php text
instead of executing it.
<?php
if (!defined("INCLUDED"))
include "include.php3";
$sql = mysql_query("select * from registrants where Account_Username='$username' AND Account_Password='$password'");
if (@mysql_num_rows($sql) == 0) {
include "registrationphp.html";
} else {
include "upcomingregister.php3";
}
?>
I am not a PHP expert (I do mod_perl), but it would seem that this
code is likely to be a good candidate for SQL injection attack. Is
that the case? If so, I would write to them.
Fo instance, I could supply a password between >>and <<<:
>>>' or 1=1 or a = 'a<<<
and sign on as any known to me username (these are not hard to find
out, this is an auctioneer who displays high bidder id)
i 9  1233 
Ignoramus20689 wrote:
While trying to signon at a website, I got the following PHP code
back. I suppose that their apache was mistakenly returning php text
instead of executing it.
<?php
if (!defined("INCLUDED"))
include "include.php3";
$sql = mysql_query("select * from registrants where Account_Username='$username' AND Account_Password='$password'");
if (@mysql_num_rows($sql) == 0) {
include "registrationphp.html";
} else {
include "upcomingregister.php3";
}
?>
I am not a PHP expert (I do mod_perl), but it would seem that this
code is likely to be a good candidate for SQL injection attack. Is
that the case? If so, I would write to them.
Fo instance, I could supply a password between >>and <<<:
>>>>' or 1=1 or a = 'a<<<
and sign on as any known to me username (these are not hard to find
out, this is an auctioneer who displays high bidder id)
i
It depends on what validation they've done on the userid and password.
There may be some in the included file, for instance.
Or, they could be running with register_globals being on and doing no
validation, in which case this would be a serious security hole.
But the code's not being executed anyway, which means they have other
problems, also :-)
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp. js*******@attglobal.net
==================
Ignoramus20689 wrote:
I am not a PHP expert (I do mod_perl), but it would seem that this
code is likely to be a good candidate for SQL injection attack.
Possibly, unless $username and $password have been filtered already
using mysql_real_escape_string
( http://www.php.net/manual/en/functio...ape-string.php) or
something like it. We don't see the code (presumably in include.php3)
that gets these values.
I'd also be worried because it looks like they are storing passwords in
clear text. They should store a hash of the password and compare the
hash of what the user enters to what's stored in the database.
Also, are they forcing this page to connect via HTTPS? Otherwise,
passwords are being sent over the net in clear text.
To say nothing of the fact that they have allowed PHP code to be
returned to the browser.
Regards,
Bill K.
Ignoramus20689 wrote:
I am not a PHP expert (I do mod_perl), but it would seem that this
code is likely to be a good candidate for SQL injection attack. Is
that the case? If so, I would write to them.
That's a definitely a SQL injection vulnerability, as the code is
written for PHP3, where there is no register_globals option (i.e. it's
always on). Whether it can be exploited is another matter. I don't
think you can execute multiple statement through mysql_query().
On Tue, 22 Aug 2006 11:56:19 -0400, Jerry Stuckle <js*******@attglobal.netwrote:
Ignoramus20689 wrote:
>While trying to signon at a website, I got the following PHP code
back. I suppose that their apache was mistakenly returning php text
instead of executing it.
<?php
if (!defined("INCLUDED"))
include "include.php3";
$sql = mysql_query("select * from registrants where Account_Username='$username' AND Account_Password='$password'");
if (@mysql_num_rows($sql) == 0) {
include "registrationphp.html";
} else {
include "upcomingregister.php3";
}
?>
I am not a PHP expert (I do mod_perl), but it would seem that this
code is likely to be a good candidate for SQL injection attack. Is
that the case? If so, I would write to them.
Fo instance, I could supply a password between >>and <<<:
>>>>>' or 1=1 or a = 'a<<<
and sign on as any known to me username (these are not hard to find
out, this is an auctioneer who displays high bidder id)
i
It depends on what validation they've done on the userid and password.
There may be some in the included file, for instance.
true
Or, they could be running with register_globals being on and doing no
validation, in which case this would be a serious security hole.
I do not know what typically may be in that include file, but I have a
feeling that possibly they simply sump the form contents into
variables.
But the code's not being executed anyway, which means they have other
problems, also :-)
Yeah. :")
On Tue, 22 Aug 2006 08:50:44 -0700, Bill Karwin <bi**@karwin.comwrote:
Ignoramus20689 wrote:
>I am not a PHP expert (I do mod_perl), but it would seem that this
code is likely to be a good candidate for SQL injection attack.
Possibly, unless $username and $password have been filtered already
using mysql_real_escape_string
(http://www.php.net/manual/en/functio...ape-string.php) or
something like it. We don't see the code (presumably in include.php3)
that gets these values.
I'd also be worried because it looks like they are storing passwords in
clear text. They should store a hash of the password and compare the
hash of what the user enters to what's stored in the database.
Also true. Possibly useful for "I lost my password" situations though,
though there are better ways to handle that.
Also, are they forcing this page to connect via HTTPS? Otherwise,
passwords are being sent over the net in clear text.
That is in fact true, the protocol is http://, not https://.
To say nothing of the fact that they have allowed PHP code to be
returned to the browser.
That, I think, is just some stupid misconfiguration. The other two
issues are those of design.
I hope that my post is not wrongly misinterpreted as an attack on php,
as same mistakes are done with perl as well. (though use of
pre-prepared statements could help in the case of perl, but dumb
programmers would not be likely to use that feature).
I am not sure if I should bother writing to them. It is an auction
house doing industrial liquidations.
i
Ignoramus20689 wrote:
>I'd also be worried because it looks like they are storing passwords in
clear text. They should store a hash of the password and compare the
hash of what the user enters to what's stored in the database.
Also true. Possibly useful for "I lost my password" situations though,
though there are better ways to handle that.
Right; the better way is to reset the password to something new and
random if a user forgets it. That way one doesn't need to keep it
stored in clear text.
I hope that my post is not wrongly misinterpreted as an attack on php,
as same mistakes are done with perl as well.
Yes, and any other language too! That includes Java, and Ruby, so
zealots of those languages need not respond claiming that their language
solves everything! ;-)
(though use of
pre-prepared statements could help in the case of perl, but dumb
programmers would not be likely to use that feature).
PHP4's mysql interface does not support prepared statements. PHP5
supports prepared statements through the new mysqli interface. So it's
not necessarily that the programmers are dumb. They may be constrained
to use PHP4. Many hosting providers do not support a PHP5 environment.
For the benefit of readers who aren't familiar with prepared statements
-- these allow you to send values to the SQL query via parameters,
instead of interpolating them into the SQL statement string. Using
statement parameters in this way reduces vulnerability to SQL injection.
And to Chung Leong: right, PHP5's mysqli supports executing multiple
statements, while the older mysqli interface does not.
Anyway, whether to email the people who run the site... tough call. It
could fall into the category of "who asked you?" but on the other hand,
spreading awareness of web security is a good thing. You could tell
them they've lost a potential customer -- you aren't going to use their
service because it's obviously not trustworthy!
Regards,
Bill K.
Jerry Stuckle wrote:
Or, they could be running with register_globals being on and doing no
validation, in which case this would be a serious security hole.
If you assume that register_globals is on, then why not assume that
magic_quotes_gpc is on too?
--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact
Ignoramus20689 wrote:
I hope that my post is not wrongly misinterpreted as an attack on php,
as same mistakes are done with perl as well. (though use of
pre-prepared statements could help in the case of perl, but dumb
programmers would not be likely to use that feature).
PHP does support prepared statements, but not in the MySQL module. It's in
the "mysqli" (MySQL Improved) module, PostgreSQL, and a handful of other
database modules though.
Also, the PDO module (Portable Data Objects -- think DBI for PHP) supports
prepared statements, and even emulates them for databases that don't
natively support them.
--
Toby A Inkster BSc (Hons) ARCS
Contact Me ~ http://tobyinkster.co.uk/contact
Chung Leong wrote:
Ignoramus20689 wrote:
I am not a PHP expert (I do mod_perl), but it would seem that this
code is likely to be a good candidate for SQL injection attack. Is
that the case? If so, I would write to them.
That's a definitely a SQL injection vulnerability, as the code is
written for PHP3, where there is no register_globals option (i.e. it's
always on). Whether it can be exploited is another matter. I don't
think you can execute multiple statement through mysql_query().
IIRC, you can in some obscure way, but I forget. I think it was later
fixed in later release of mysql.
With the code, though, you could easily make the password line be
password='' or '1'='1', thus being able to log in as anyone (a parent
post pointed this out as well) This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: grahamd |
last post by:
Who are the appropriate people to report security problems to
in respect of a module included with the Python distribution?
I don't feel it appropriate to be reporting it on general mailing
lists.
|
by: TC |
last post by:
Hello All,
I have recently had the pleasure of installing Norton Internet Security 2005
and finding that I can no longer create or open a web-based application in
Visual Studio .Net. The IDE...
|
by: Ken Cox [Microsoft MVP] |
last post by:
MS has posted this here:
http://www.asp.net/faq/ms03-32-issue.aspx
Fix for: 'Server Application Unavailable' Error after Applying Security Update
for IE...
|
by: Earl Teigrob |
last post by:
Background:
When I create a ASP.NET control (User or custom), it often requires security to be set for certain functionality with the control. For example, a news release user control that is...
|
by: cdlipfert |
last post by:
Our intranet is running under windows integrated security. We have
domain users that want to access our intranet site via ssl vpn. SSL
VPN can not authenticate against services that run under...
|
by: Charles Leonard |
last post by:
I am having yet another issue with Windows Server 2003. This time, the web
service (a file import web service) appears to run except for one odd
message: "ActiveX component can't create object". ...
|
by: Jay C. |
last post by:
Jay
3 Jan. 11:38 Optionen anzeigen
Newsgroups: microsoft.public.dotnet.framework.webservices.enhancements
Von: "Jay" <p.brunm...@nusurf.at> - Nachrichten dieses Autors suchen
Datum: 3 Jan...
|
by: Richard MSL |
last post by:
I am having problems working with .net security. I have been attempting to
use the Microsoft .Net Framework 2.0 Configuration tool (version
2.0.50727.42), but it won't work for me. I have a simple...
|
by: WebServiceSecurity |
last post by:
The issue involves the following technologies: -
1. .NET 2.0 Framework
2. WSE2.0 (WS-Security)
3. X.509 certificates
4. BEA Weblogic 8.1.5
|
by: Anthony Baxter |
last post by:
SECURITY ADVISORY
Buffer overrun in repr() for UCS-4 encoded unicode strings
http://www.python.org/news/security/PSF-2006-001/
Advisory ID: PSF-2006-001
Issue Date: October 12, 2006...
|
by: taylorcarr |
last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
|
by: aa123db |
last post by:
Variable and constants
Use var or let for variables and const fror constants.
Var foo ='bar';
Let foo ='bar';const baz ='bar';
Functions
function $name$ ($parameters$) {
}
...
|
by: ryjfgjl |
last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
| |
