[27780] in bugtraq
Re: PHP-Nuke SQL Injection Vulnerability
daemon@ATHENA.MIT.EDU (Predrag Damnjanovic)
Sat Nov 9 01:48:52 2002
Content-Type: text/plain;
charset="us-ascii"
From: Predrag Damnjanovic <bugtraq@zastita.co.yu>
To: bugtraq@securityfocus.com
Date: Mon, 4 Nov 2002 16:39:06 +0100
MIME-Version: 1.0
Message-Id: <200211041636.19799.bugtraq@zastita.co.yu>
Content-Transfer-Encoding: 8bit
David Endler wrote:
> If the attacker's UID is 2, he or she can then launch the attack by
> requesting the following URL:
>
> modules.php?name=Your_Account&op=saveuser&uid=2&bio=%5c&EditedMessage=
> no&pass=xxxxx&vpass=xxxxx&newsletter=,+bio=0,+pass=md5(1)/*
> [...]
> +--[ bio = '\',
Well, this is impossible if "magic_quotes_gpc" is ON, because %5c will be
passed as \\ , not as \ .
Then we have:
bio = '\\',
and SQL injection is apsoluty impossible.
I really don't know why PHP-Nuke not check magic_quotes.
In my PHP engine first task is checking 'magic_quotes', and if it is OFF, then
simply turn it ON:
if (get_magic_quotes_gpc()==0) set_magic_quotes_runtime (1);
This line should be at the top of init script of every PHP engine.
P.S. 'magic_quotes' is by default ON on many web-hosting servers, so I think
that this vulnerability will not affect all sites with PHP nuke.
...except if PHP Nuke explicitly turn magic_quotes off ?!?
Regards,
Predrag Damnjanovic
