Re: Magic Quotes

["DokFLeed" <dokfleed () dokfleed net>]

The fact remains most programmers will skip security sanitation even if they 
know how to do it, maybe they don't have time till the "due date":)
somehow, I liked the magic_quotes , I thought it was something that PHP 
added , stripping it wasn't that hard, just calling some extra procedures, 
so for the ones who care, there was a work around, and for the ones who 
don't, it saved their servers.
I would feel more confident knowing that my server can stand against some 
website with a vulnerable application, which I have to offer him hosting 
anyway.
I worked for the past 2 years on a project 
http://freshmeat.net/projects/labrova/ , the new version NG should be 
released by 2007, to help programmers who don't care about security.

though the discussion is diverted, my question remains, is there a way to 
get around the magic quotes ?

cheers
DokFLeed


----- Original Message ----- 
From: "Brad Lhotsky" <lhotskyb () mail nih gov>
To: "DokFLeed" <dokfleed () dokfleed net>
Cc: <webappsec () securityfocus com>
Sent: Tuesday, October 17, 2006 7:01 PM
Subject: Re: Magic Quotes


> Well, it's good to hear that you're the one doing the pentesting.
> However, the MagicQuotes does not solve the problem, it bandaids it.
> The problem is bad programming, and regardless  of the Magic Quotes, if
> the programmers developing the app are writing code like that, the
> chances are,  Magic Quotes isn't going to take it from "insecure" to
> "Secure", it'll just slide it ever so trivially closer to "secure".
>
> Rest assured, that there will be projects like Hardened-PHP and
> mod_security that will work with PHP6 to bandaid fix most common
> programmer errors.  It's those interesting logic problems that people
> who write "Select * from table where field=$value" introduce that will
> ultimately leave the app insecure and open to attack.
>
> DokFLeed wrote:
> > Hi,
> > I think you got my email wrong, this code isn't what I wrote, this code
> > is a sample of a careless programmer who does not care about security
> > issues, and fairly weak in development itself, however,  you can not
> > compromise his server because it has magic quotes on.
> > I have done lots of pen-testing and came across many websites, that even
> > if they are hacked, the server is saved because of magic quotes.
> > I hope that explains my argument.
> >
> > so let me put it this way, since the discussion moved from the How to 
> > Why.
> > with a vulnerable weak code like that, and magic quotes are on, how can
> > you get access to the server, knowing that you can inject to SELECT,
> > INSERT statements , again with magic quotes on!
> >
> > cheers
> > DokFLeed
> >
> >
> > ----- Original Message ----- From: "Brad Lhotsky"
> > <lhotskyb () grc nia nih gov>
> > To: "DokFLeed" <dokfleed () dokfleed net>
> > Cc: <webappsec () securityfocus com>; "Steve Slater"
> > <slater () handsonsecurity com>
> > Sent: Tuesday, October 17, 2006 1:21 AM
> > Subject: Re: Magic Quotes
>
> --
> Brad Lhotsky <lhotskyb () grc nia nih gov>
> NCTS Computer Specialist
> Phone: 410.558.8006
> "Freedom, Privacy, Security.  Choose Two."


-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire was recently named the worldwide market leader in Web 
application security assessment tools by both Gartner and IDC. Download a 
free trial of AppScan today and see why more customers choose AppScan 
then any other solution.

https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YTO
--------------------------------------------------------------------------