WebApp Sec mailing list archives

Previous By Date Next
Previous By Thread Next

RE: SQL In the Request

From: "Arian J. Evans" <arian.evans () anachronic com>
Date: Fri, 6 Oct 2006 14:13:30 -0500
If everything runs on the local host and you are admin,
I guess I don't see a problem. :)

A developer I helped convert to the dark side showed
me a portal he found that was basically this, but
the SQL query was constructed from cookies. That way
the developers could remotely troubleshoot and debug
the app by using in-browser cookie editors or simply
dropping a cookie (query section) they didn't like
to manipulate the query dynamically.

Obviously there were a couple of other implications
to this implementation style as well.

-ae


-----Original Message-----
From: listbounce () securityfocus com 
[mailto:listbounce () securityfocus com] On Behalf Of bryan allott
Sent: Thursday, October 05, 2006 10:29 AM
To: webappsec () securityfocus com; websecurity () webappsec org
Subject: SQL In the Request

Just when i thought i had seen it all... -i come across a 
site which passes 
in the following as part of the REQUEST..
yes, the SWF builds a request and sends it through to a php 
server... in 
plain text.

POST /flashsql.php?id=106 HTTP/1.1

= QUERYSTRING ====
 id=106

= BODY ====
 host=dedi119b.your-server.co.za
 sql_=SELECT DISTINCT(movies.id), movies.name, filename FROM 
movies LEFT 
JOIN groups_movies ON (movies.id = groups_movies.movie_id) 
LEFT JOIN groups 
ON (groups.id = groups_movies.group_id) LEFT JOIN 
files_groups ON (groups.id 
= files_groups.group_id) LEFT JOIN files ON (files.id = 
files_groups.file_id) WHERE movies.id 
IN(155,150,52,149,134,133,76) AND 
files.file_type_id=9 ORDER BY movies.id
 dat=sk_cms

is there anyway that this can be "acceptable" ? 


--------------------------------------------------------------
-----------
Sponsored by: Watchfire

Watchfire has new programs available for pen testers and 
consultants to 
use AppScan in client engagements. AppScan is the leading Web 
application 
assessment tool. Want to see it for yourself? Take a look today!

https://www.watchfire.com/securearea/appscancamp.aspx?id=70150
0000008YSz
--------------------------------------------------------------
------------



-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire has new programs available for pen testers and consultants to 
use AppScan in client engagements. AppScan is the leading Web application 
assessment tool. Want to see it for yourself? Take a look today!

https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YSz
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: