WebApp Sec mailing list archives
Re: Magic Quotes
From: "DokFLeed" <dokfleed () dokfleed net>
Date: Thu, 12 Oct 2006 05:14:20 +0400
such a simple SQL like "SELECT * from USERS WHERE id =$id"; can lead to a total hack of the SERVER not just the web application. so far the only thing keeping it from happening is the magic quotes, so even with a dumb programmer, the server is safe coz of magic quotes, why is it going to be removed in php6 !!!! if you can insert your own PHP code into the database thenrun a select to dump the info to a file on the server using INTO OUTFILE '/home/z.php' as you can see the problem right now is the ' in the OUTFILE syntax, and it is magic quotes that is taking care of the server :)
bottom line magic quotes rulez Dok----- Original Message ----- From: "Steve Slater" <slater () handsonsecurity com>
To: "DokFLeed" <dokfleed () dokfleed net>; <webappsec () securityfocus com> Sent: Wednesday, October 11, 2006 3:11 AM Subject: Re: Magic Quotes
At 04:00 AM 10/06/06, DokFLeed wrote:if there is noway around Magic Quotes, then why is every developer against it ?DokYou can often get around it, depending upon the app and the query.Here is one that works...or at least did work at the time. It's pretty old:http://packetstormsecurity.nl/0311-exploits/phpBB206.txt What if your query uses a numeric query value? Then there is no quote needed to perform an injection. For example: SELECT * from db.table where column = 1100 What if I change 1100 to: -9999 union select * from whatever.whatever (No quotes needed here...) Just give your team an example of how prepared statements work and it won't take more than an extra minute to copy it for each new DB query. Then you don't have to worry about it. Steve ================================================== Steve Slater President Security Compliance Corporation 120 Village Square, Suite 76 Orinda, CA 94563 (866) 657-4550 http://www.securitycompliancecorp.com slater () securitycompliancecorp com
------------------------------------------------------------------------- Sponsored by: WatchfireWatchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download a Free Trial of AppScan today!
https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YTJ --------------------------------------------------------------------------
Current thread:
- Google code search Stephen de Vries (Oct 04)
- Re: Google code search Zapotek (Oct 05)
- Re: Google code search Ryan Barnett (Oct 05)
- Magic Quotes DokFLeed (Oct 09)
- Message not available
- Re: Magic Quotes DokFLeed (Oct 10)
- Message not available
- Re: Magic Quotes Tomek Perlak (Oct 10)
- RE: Magic Quotes Matt Fisher (Oct 11)
- Re: Magic Quotes Steve Slater (Oct 11)
- Re: Magic Quotes DokFLeed (Oct 15)
- Re: Magic Quotes Brad Lhotsky (Oct 16)
- Message not available
- Re: Magic Quotes DokFLeed (Oct 17)
- Re: Magic Quotes Brad Lhotsky (Oct 17)
- Re: Magic Quotes DokFLeed (Oct 17)