SecurityFocus

Google code search Oct 05 2006 06:08AM
Stephen de Vries (stephen corsaire com) (3 replies)

Magic Quotes Oct 06 2006 11:00AM
DokFLeed (dokfleed dokfleed net) (2 replies)

Re: Magic Quotes Oct 10 2006 11:11PM
Steve Slater (slater handsonsecurity com) (1 replies)

Re: Magic Quotes Oct 12 2006 01:14AM
DokFLeed (dokfleed dokfleed net) (1 replies)

such a simple SQL like
"SELECT * from USERS WHERE id =$id";
can lead to a total hack of the SERVER not just the web application.
so far the only thing keeping it from happening is the magic quotes,
so even with a dumb programmer, the server is safe coz of magic quotes,
why is it going to be removed in php6 !!!!
if you can insert your own PHP code into the database then
run a select to dump the info to a file on the server using INTO OUTFILE
'/home/z.php'
as you can see the problem right now is the ' in the OUTFILE syntax, and it
is magic quotes that is taking care of the server :)

bottom line magic quotes rulez

Dok

----- Original Message -----
From: "Steve Slater" <slater (at) handsonsecurity (dot) com [email concealed]>
To: "DokFLeed" <dokfleed (at) dokfleed (dot) net [email concealed]>; <webappsec (at) securityfocus (dot) com [email concealed]>
Sent: Wednesday, October 11, 2006 3:11 AM
Subject: Re: Magic Quotes

> At 04:00 AM 10/06/06, DokFLeed wrote:
>
>>if there is noway around Magic Quotes, then why is every developer against
>>it ?
>>Dok
>
> You can often get around it, depending upon the app and the query.
> Here is one that works...or at least did work at the time. It's pretty
> old:
>
> http://packetstormsecurity.nl/0311-exploits/phpBB206.txt
>
> What if your query uses a numeric query value? Then there is
> no quote needed to perform an injection. For example:
>
> SELECT * from db.table where column = 1100
>
> What if I change 1100 to: -9999 union select * from whatever.whatever
>
> (No quotes needed here...)
>
> Just give your team an example of how prepared statements work
> and it won't take more than an extra minute to copy it for each new DB
> query. Then you don't have to worry about it.
>
> Steve
>
>
>
> ==================================================
>
> Steve Slater
> President
>
> Security Compliance Corporation
> 120 Village Square, Suite 76
> Orinda, CA 94563
> (866) 657-4550
>
> http://www.securitycompliancecorp.com
> slater (at) securitycompliancecorp (dot) com [email concealed]
>
>
>

------------------------------------------------------------------------
-
Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application
security testing suite, and the only solution to provide comprehensive
remediation tasks at every level of the application. See for yourself.
Download a Free Trial of AppScan today!

https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YTJ

------------------------------------------------------------------------
--

[ reply ]

Re: Magic Quotes Oct 16 2006 09:29PM
Brad Lhotsky (lhotskyb mail nih gov)

Re: Magic Quotes Oct 10 2006 10:19AM
Tomek Perlak (tomekperlak tlen pl) (1 replies)

RE: Magic Quotes Oct 11 2006 03:16PM
Matt Fisher (mfisher spidynamics com)

Re: Google code search Oct 05 2006 12:55PM
Ryan Barnett (rcbarnett gmail com)

Re: Google code search Oct 05 2006 06:46AM
Zapotek (zapotekzsp gmail com)