David Endler wrote:
> If the attacker's UID is 2, he or she can then launch the attack by
> requesting the following URL:
>
> modules.php?name=Your_Account&op=saveuser&uid=2&bio=%5c&EditedMessage=
> no&pass=xxxxx&vpass=xxxxx&newsletter=,+bio=0,+pass=md5(1)/*
> [...]
> +--[ bio = '\',
Well, this is impossible if "magic_quotes_gpc" is ON, because %5c will be
passed as \\ , not as \ .
Then we have:
bio = '\\',
and SQL injection is apsoluty impossible.
I really don't know why PHP-Nuke not check magic_quotes.
In my PHP engine first task is checking 'magic_quotes', and if it is OFF, then
simply turn it ON:
if (get_magic_quotes_gpc()==0) set_magic_quotes_runtime (1);
This line should be at the top of init script of every PHP engine.
P.S. 'magic_quotes' is by default ON on many web-hosting servers, so I think
that this vulnerability will not affect all sites with PHP nuke.
...except if PHP Nuke explicitly turn magic_quotes off ?!?
> If the attacker's UID is 2, he or she can then launch the attack by
> requesting the following URL:
>
> modules.php?name=Your_Account&op=saveuser&uid=2&bio=%5c&EditedMessage=
> no&pass=xxxxx&vpass=xxxxx&newsletter=,+bio=0,+pass=md5(1)/*
> [...]
> +--[ bio = '\',
Well, this is impossible if "magic_quotes_gpc" is ON, because %5c will be
passed as \\ , not as \ .
Then we have:
bio = '\\',
and SQL injection is apsoluty impossible.
I really don't know why PHP-Nuke not check magic_quotes.
In my PHP engine first task is checking 'magic_quotes', and if it is OFF, then
simply turn it ON:
if (get_magic_quotes_gpc()==0) set_magic_quotes_runtime (1);
This line should be at the top of init script of every PHP engine.
P.S. 'magic_quotes' is by default ON on many web-hosting servers, so I think
that this vulnerability will not affect all sites with PHP nuke.
...except if PHP Nuke explicitly turn magic_quotes off ?!?
Regards,
Predrag Damnjanovic
[ reply ]