WebApp Sec mailing list archives
RE: SQL In the Request
From: "Arian J. Evans" <arian.evans () anachronic com>
Date: Fri, 6 Oct 2006 14:13:30 -0500
If everything runs on the local host and you are admin, I guess I don't see a problem. :) A developer I helped convert to the dark side showed me a portal he found that was basically this, but the SQL query was constructed from cookies. That way the developers could remotely troubleshoot and debug the app by using in-browser cookie editors or simply dropping a cookie (query section) they didn't like to manipulate the query dynamically. Obviously there were a couple of other implications to this implementation style as well. -ae
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of bryan allott Sent: Thursday, October 05, 2006 10:29 AM To: webappsec () securityfocus com; websecurity () webappsec org Subject: SQL In the Request Just when i thought i had seen it all... -i come across a site which passes in the following as part of the REQUEST.. yes, the SWF builds a request and sends it through to a php server... in plain text. POST /flashsql.php?id=106 HTTP/1.1 = QUERYSTRING ==== id=106 = BODY ==== host=dedi119b.your-server.co.za sql_=SELECT DISTINCT(movies.id), movies.name, filename FROM movies LEFT JOIN groups_movies ON (movies.id = groups_movies.movie_id) LEFT JOIN groups ON (groups.id = groups_movies.group_id) LEFT JOIN files_groups ON (groups.id = files_groups.group_id) LEFT JOIN files ON (files.id = files_groups.file_id) WHERE movies.id IN(155,150,52,149,134,133,76) AND files.file_type_id=9 ORDER BY movies.id dat=sk_cms is there anyway that this can be "acceptable" ? -------------------------------------------------------------- ----------- Sponsored by: Watchfire Watchfire has new programs available for pen testers and consultants to use AppScan in client engagements. AppScan is the leading Web application assessment tool. Want to see it for yourself? Take a look today! https://www.watchfire.com/securearea/appscancamp.aspx?id=70150 0000008YSz -------------------------------------------------------------- ------------
------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire has new programs available for pen testers and consultants to use AppScan in client engagements. AppScan is the leading Web application assessment tool. Want to see it for yourself? Take a look today! https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YSz --------------------------------------------------------------------------
Current thread:
- SQL In the Request bryan allott (Oct 05)
- RE: SQL In the Request Arian J. Evans (Oct 09)