|
-
March 12th, 2002, 08:28 AM
#1
Member
PHP/MySQL Possible Security Vulnerability?
During the course of my learning PHP and interfacing with MySQL, it has been brought to my attention that with proper URL encoding, that a MySQL query can be passed to the server through a function that writes to the current database.
This may seem common knowledge, and already discussed in other forums, but, I don't care..
Point about my site:
1) Anyway, on my site, I use session cookies to monitor the validity of a logged in user. This is checked on every page that is accessed. If this session variable is not there, the user is considered 'logged out' and asked to reauthenticate thier login.
2) We were trying to compromise the registration script that I wrote by passing a URL encoded query to the server by activating a 'fake' request for registration. In the encoded URL there was a trigger to activate the registration function (this had been verified as correct because, uh, I wrote it) and the query string was passed to the server with the correct table names, with column variable names. (Also verified because I told the user that was working on this)
3) We also verified that the string to the SQL server was queried by a user that has write access to the database.
Now, with all of this done.. the vulnerability failed. My question is why? Yes, I know it sounds like there isn't one there, but, all signs point to that it should have worked. The user's login was authenticated, the correct function was accessed, and the URL was passing the correct variables to the script. We just couldn't get it to write to the server.
If anyone has ideas on why this won't work, or what we may be doing wrong and can make it work. Please post so that I correct the code.
Thanks.. I guess..
Jason Parker - http://www.o-negative.net
o-Negative: Information Network
-
March 12th, 2002, 10:10 AM
#2
/me gives a big round of aplause to parker posting i know it took a lot of courage man?! hehe
RiOtEr
-
March 12th, 2002, 03:51 PM
#3
Re: PHP/MySQL Possible Security Vulnerability?
Originally posted here by jparker[]
During the course of my learning PHP and interfacing with MySQL, it has been brought to my attention that with proper URL encoding, that a MySQL query can be passed to the server through a function that writes to the current database.
That's not entirely true.
3) We also verified that the string to the SQL server was queried by a user that has write access to the database.
Now, with all of this done.. the vulnerability failed. My question is why?
PHP Escapes special characters to prevent SQL injection. a single quote is read as \ ' and a double quote is read as \ ". Backticks are also filtered to prevent someone from running something on the local machine. It's entirely probable that that is why your exploit didn't work.
Yes, I know it sounds like there isn't one there, but, all signs point to that it should have worked. The user's login was authenticated, the correct function was accessed, and the URL was passing the correct variables to the script. We just couldn't get it to write to the server.
If anyone has ideas on why this won't work, or what we may be doing wrong and can make it work. Please post so that I correct the code.
Talk to me in IRC, I may have a few ideas. 
Chris Shepherd
The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
\"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
Is your whole family retarded, or did they just catch it from you?
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
![jparker[] is offline](/images/statusicon/user-offline.png)
Reply With Quote