WebApp Sec mailing list archives
Re: Magic Quotes
From: "DokFLeed" <dokfleed () dokfleed net>
Date: Tue, 17 Oct 2006 21:57:44 +0400
The fact remains most programmers will skip security sanitation even if they know how to do it, maybe they don't have time till the "due date":) somehow, I liked the magic_quotes , I thought it was something that PHP added , stripping it wasn't that hard, just calling some extra procedures, so for the ones who care, there was a work around, and for the ones who don't, it saved their servers. I would feel more confident knowing that my server can stand against some website with a vulnerable application, which I have to offer him hosting anyway. I worked for the past 2 years on a project http://freshmeat.net/projects/labrova/ , the new version NG should be released by 2007, to help programmers who don't care about security.
though the discussion is diverted, my question remains, is there a way to get around the magic quotes ?
cheers DokFLeed----- Original Message ----- From: "Brad Lhotsky" <lhotskyb () mail nih gov>
To: "DokFLeed" <dokfleed () dokfleed net> Cc: <webappsec () securityfocus com> Sent: Tuesday, October 17, 2006 7:01 PM Subject: Re: Magic Quotes
Well, it's good to hear that you're the one doing the pentesting. However, the MagicQuotes does not solve the problem, it bandaids it. The problem is bad programming, and regardless of the Magic Quotes, if the programmers developing the app are writing code like that, the chances are, Magic Quotes isn't going to take it from "insecure" to "Secure", it'll just slide it ever so trivially closer to "secure". Rest assured, that there will be projects like Hardened-PHP and mod_security that will work with PHP6 to bandaid fix most common programmer errors. It's those interesting logic problems that people who write "Select * from table where field=$value" introduce that will ultimately leave the app insecure and open to attack. DokFLeed wrote:Hi, I think you got my email wrong, this code isn't what I wrote, this code is a sample of a careless programmer who does not care about security issues, and fairly weak in development itself, however, you can not compromise his server because it has magic quotes on. I have done lots of pen-testing and came across many websites, that even if they are hacked, the server is saved because of magic quotes. I hope that explains my argument.so let me put it this way, since the discussion moved from the How to Why.with a vulnerable weak code like that, and magic quotes are on, how can you get access to the server, knowing that you can inject to SELECT, INSERT statements , again with magic quotes on! cheers DokFLeed ----- Original Message ----- From: "Brad Lhotsky" <lhotskyb () grc nia nih gov> To: "DokFLeed" <dokfleed () dokfleed net> Cc: <webappsec () securityfocus com>; "Steve Slater" <slater () handsonsecurity com> Sent: Tuesday, October 17, 2006 1:21 AM Subject: Re: Magic Quotes-- Brad Lhotsky <lhotskyb () grc nia nih gov> NCTS Computer Specialist Phone: 410.558.8006 "Freedom, Privacy, Security. Choose Two."
------------------------------------------------------------------------- Sponsored by: WatchfireWatchfire was recently named the worldwide market leader in Web application security assessment tools by both Gartner and IDC. Download a free trial of AppScan today and see why more customers choose AppScan then any other solution.
https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YTO --------------------------------------------------------------------------
Current thread:
- Re: Google code search, (continued)
- Re: Google code search Ryan Barnett (Oct 05)
- Magic Quotes DokFLeed (Oct 09)
- Message not available
- Re: Magic Quotes DokFLeed (Oct 10)
- Message not available
- Re: Magic Quotes Tomek Perlak (Oct 10)
- RE: Magic Quotes Matt Fisher (Oct 11)
- Re: Magic Quotes Steve Slater (Oct 11)
- Re: Magic Quotes DokFLeed (Oct 15)
- Re: Magic Quotes Brad Lhotsky (Oct 16)
- Message not available
- Re: Magic Quotes DokFLeed (Oct 17)
- Re: Magic Quotes Brad Lhotsky (Oct 17)
- Re: Magic Quotes DokFLeed (Oct 17)