Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Web-App-Sec
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Magic Quotes

from [Matt Fisher] Network Security [Permanent Link]
Subject: RE: Magic Quotes
Date: Wed, 11 Oct 2006 11:16:58 -0400 


The Santy worm used a simple double-encoded single tick to bypass Magic Quotes. 
 The real problem was the code: it then urldecoded the single-encoded tick at 
that point, but framework tricks like Magic Quotes are not the "end-all be-all" 
defense by any means.  In fact, Magic Quotes was built out ofpure functionality 
and not security according to an interview with Lerdoff (sp?) I had found. 



-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On 
Behalf Of Tomek Perlak
Sent: Tuesday, October 10, 2006 6:20 AM
To: webappsec@securityfocus.com
Subject: Re: Magic Quotes


DokFLeed wrote:

(..)

if there is noway around Magic Quotes, then why is every developer 
against it ?
Dok


I guess it's because it adds a layer of complexity to your code?

Some servers have MQs on, some don't (and you might not have any control over 
that), so you have to code for two cases.

Also, if data sanitation is being done using other functions (such as 
mysql_real_escape_string if you happen to use mysql), the MQs feature is a 
nuisance to deal with, to say the least.

// tp;

-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire has new programs available for pen testers and consultants to use 
AppScan in client engagements. AppScan is the leading Web application 
assessment tool. Want to see it for yourself? Take a look today!

https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YSz
--------------------------------------------------------------------------


--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.407 / Virus Database: 268.13.1/466 - Release Date: 10/7/2006
 

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.407 / Virus Database: 268.13.1/466 - Release Date: 10/7/2006
 

-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application 
security testing suite, and the only solution to provide comprehensive 
remediation tasks at every level of the application. See for yourself. 
Download a Free Trial of AppScan today!

https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YTJ
--------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Magic Quotes, Tomek Perlak
Next by Date:  Re: Magic Quotes, Steve Slater
Previous by Thread:  Re: Magic Quotes, Tomek Perlak
Next by Thread:  Re: Magic Quotes, Steve Slater
Indexes:  [Date] [Thread] [Top] [All Lists]