Hi,
I think you got my email wrong, this code isn't what I wrote, this code is a
sample of a careless programmer who does not care about security issues, and
fairly weak in development itself, however, you can not compromise his
server because it has magic quotes on.
I have done lots of pen-testing and came across many websites, that even if
they are hacked, the server is saved because of magic quotes.
I hope that explains my argument.
so let me put it this way, since the discussion moved from the How to Why.
with a vulnerable weak code like that, and magic quotes are on, how can you
get access to the server, knowing that you can inject to SELECT, INSERT
statements , again with magic quotes on!
cheers
DokFLeed
----- Original Message -----
From: "Brad Lhotsky" <lhotskyb@grc.nia.nih.gov>
To: "DokFLeed" <dokfleed@dokfleed.net>
Cc: <webappsec@securityfocus.com>; "Steve Slater"
<slater@handsonsecurity.com>
Sent: Tuesday, October 17, 2006 1:21 AM
Subject: Re: Magic Quotes
It's bad programming practice to use the code you've demonstrated in
production, with or without magic quotes. PHP suffers from too many bad
tutorials. Much like Perl, the fact that it's easy to use from the
beginning means there's a ton of bad code. The signal to noise ratio
with PHP, even large php projects, is terribly low.
Hopefully php6 will include lexical scopes regardless of the enclosing
block.
Don't write code like that. Use variable bindings, provided by MySQL
Improved (http://www.php.net/manual/en/ref.mysqli.php). PHP is shaping
the language in response to growing and much validated security
concerns. It's not the language's job to protect the server as you so
eloquently stated. Any good programming language should allow for the
programmer to completely annihilate the server in exotic and creative
ways.
It's the job of the programmer and system administrator to protect the
server. If you or your colleagues are writing code like your example,
it might be wise to invest in Web Application Security training. At the
very least, have your sysadmin compile Hardened-PHP and run through
apache with mod_security enabled and locked down.
DokFLeed wrote:
such a simple SQL like
"SELECT * from USERS WHERE id =$id";
can lead to a total hack of the SERVER not just the web application.
so far the only thing keeping it from happening is the magic quotes,
so even with a dumb programmer, the server is safe coz of magic quotes,
why is it going to be removed in php6 !!!!
if you can insert your own PHP code into the database then
run a select to dump the info to a file on the server using INTO
OUTFILE '/home/z.php'
as you can see the problem right now is the ' in the OUTFILE syntax, and
it is magic quotes that is taking care of the server :)
bottom line magic quotes rulez
Dok
----- Original Message ----- From: "Steve Slater"
<slater@handsonsecurity.com>
To: "DokFLeed" <dokfleed@dokfleed.net>; <webappsec@securityfocus.com>
Sent: Wednesday, October 11, 2006 3:11 AM
Subject: Re: Magic Quotes
-------------------------------------------------------------------------
Sponsored by: Watchfire
Watchfire's AppScan is the industry's first and leading web application
security testing suite, and the only solution to provide comprehensive
remediation tasks at every level of the application. See for yourself.
Download a Free Trial of AppScan today!
https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YTJ
--------------------------------------------------------------------------
--
Brad Lhotsky <lhotskyb@grc.nia.nih.gov>
NCTS Computer Specialist
Phone: 410.558.8006
"Freedom, Privacy, Security. Choose Two."
-------------------------------------------------------------------------
Sponsored by: Watchfire
Watchfire was recently named the worldwide market leader in Web
application security assessment tools by both Gartner and IDC. Download a
free trial of AppScan today and see why more customers choose AppScan
then any other solution.
https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YTO
--------------------------------------------------------------------------
