Re: Magic Quotes

["DokFLeed" <dokfleed () dokfleed net>]

Hi,
I think you got my email wrong, this code isn't what I wrote, this code is a 
sample of a careless programmer who does not care about security issues, and 
fairly weak in development itself, however,  you can not compromise his 
server because it has magic quotes on.
I have done lots of pen-testing and came across many websites, that even if 
they are hacked, the server is saved because of magic quotes.
I hope that explains my argument.

so let me put it this way, since the discussion moved from the How to Why.
with a vulnerable weak code like that, and magic quotes are on, how can you 
get access to the server, knowing that you can inject to SELECT, INSERT 
statements , again with magic quotes on!

cheers
DokFLeed


----- Original Message ----- 
From: "Brad Lhotsky" <lhotskyb () grc nia nih gov>
To: "DokFLeed" <dokfleed () dokfleed net>
Cc: <webappsec () securityfocus com>; "Steve Slater" 
<slater () handsonsecurity com>
Sent: Tuesday, October 17, 2006 1:21 AM
Subject: Re: Magic Quotes


> It's bad programming practice to use the code you've demonstrated in
> production, with or without magic quotes.  PHP suffers from too many bad
> tutorials.  Much like Perl, the fact that it's easy to use from the
> beginning means there's a ton of bad code.  The signal to noise ratio
> with PHP, even large php projects, is terribly low.
>
> Hopefully php6 will include lexical scopes regardless of the enclosing
> block.
>
> Don't write code like that.  Use variable bindings, provided by MySQL
> Improved (http://www.php.net/manual/en/ref.mysqli.php).  PHP is shaping
> the language in response to growing and much validated security
> concerns.  It's not the language's job to protect the server as you so
> eloquently stated.  Any good programming language should allow for the
> programmer to completely annihilate the server in exotic and creative 
> ways.
>
> It's the job of the programmer and system administrator to protect the
> server.  If you or your colleagues are writing code like your example,
> it might be wise to invest in Web Application Security training.  At the
> very least, have your sysadmin compile Hardened-PHP and run through
> apache with mod_security enabled and locked down.
>
> DokFLeed wrote:
> > such a simple SQL like
> > "SELECT * from USERS WHERE id =$id";
> > can lead to a total hack of the SERVER not just the web application.
> > so far the only thing keeping it from happening is the magic quotes,
> > so even with a dumb programmer, the server is safe coz of magic quotes,
> > why is it going to be removed in php6 !!!!
> > if you can insert your own PHP code into the database then
> > run a select to  dump the info to a file on the server using INTO
> > OUTFILE '/home/z.php'
> > as you can see the problem right now is the ' in the OUTFILE syntax, and
> > it is magic quotes that is taking care of the server :)
> >
> > bottom line magic quotes rulez
> >
> > Dok
> >
> > ----- Original Message ----- From: "Steve Slater"
> > <slater () handsonsecurity com>
> > To: "DokFLeed" <dokfleed () dokfleed net>; <webappsec () securityfocus com>
> > Sent: Wednesday, October 11, 2006 3:11 AM
> > Subject: Re: Magic Quotes
> >
> >
> >
> >
> > -------------------------------------------------------------------------
> > Sponsored by: Watchfire
> >
> > Watchfire's AppScan is the industry's first and leading web application
> > security testing suite, and the only solution to provide comprehensive
> > remediation tasks at every level of the application. See for yourself.
> > Download a Free Trial of AppScan today!
> >
> > https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YTJ
> > --------------------------------------------------------------------------
>
> --
> Brad Lhotsky <lhotskyb () grc nia nih gov>
> NCTS Computer Specialist
> Phone: 410.558.8006
> "Freedom, Privacy, Security.  Choose Two."


-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire was recently named the worldwide market leader in Web 
application security assessment tools by both Gartner and IDC. Download a 
free trial of AppScan today and see why more customers choose AppScan 
then any other solution.

https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YTO
--------------------------------------------------------------------------