From: DokFLeed (dokfleeddokfleed.net)
Date: Tue Oct 17 2006 - 04:22:15 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,
I think you got my email wrong, this code isn't what I wrote, this code is a
sample of a careless programmer who does not care about security issues, and
fairly weak in development itself, however, you can not compromise his
server because it has magic quotes on.
I have done lots of pen-testing and came across many websites, that even if
they are hacked, the server is saved because of magic quotes.
I hope that explains my argument.

so let me put it this way, since the discussion moved from the How to Why.
with a vulnerable weak code like that, and magic quotes are on, how can you
get access to the server, knowing that you can inject to SELECT, INSERT
statements , again with magic quotes on!

cheers
DokFLeed

----- Original Message -----
From: "Brad Lhotsky" <lhotskybgrc.nia.nih.gov>
To: "DokFLeed" <dokfleeddokfleed.net>
Cc: <webappsecsecurityfocus.com>; "Steve Slater"
<slaterhandsonsecurity.com>
Sent: Tuesday, October 17, 2006 1:21 AM
Subject: Re: Magic Quotes

> It's bad programming practice to use the code you've demonstrated in
> production, with or without magic quotes. PHP suffers from too many bad
> tutorials. Much like Perl, the fact that it's easy to use from the
> beginning means there's a ton of bad code. The signal to noise ratio
> with PHP, even large php projects, is terribly low.
>
> Hopefully php6 will include lexical scopes regardless of the enclosing
> block.
>
> Don't write code like that. Use variable bindings, provided by MySQL
> Improved (http://www.php.net/manual/en/ref.mysqli.php). PHP is shaping
> the language in response to growing and much validated security
> concerns. It's not the language's job to protect the server as you so
> eloquently stated. Any good programming language should allow for the
> programmer to completely annihilate the server in exotic and creative
> ways.
>
> It's the job of the programmer and system administrator to protect the
> server. If you or your colleagues are writing code like your example,
> it might be wise to invest in Web Application Security training. At the
> very least, have your sysadmin compile Hardened-PHP and run through
> apache with mod_security enabled and locked down.
>
> DokFLeed wrote:
>> such a simple SQL like
>> "SELECT * from USERS WHERE id =$id";
>> can lead to a total hack of the SERVER not just the web application.
>> so far the only thing keeping it from happening is the magic quotes,
>> so even with a dumb programmer, the server is safe coz of magic quotes,
>> why is it going to be removed in php6 !!!!
>> if you can insert your own PHP code into the database then
>> run a select to dump the info to a file on the server using INTO
>> OUTFILE '/home/z.php'
>> as you can see the problem right now is the ' in the OUTFILE syntax, and
>> it is magic quotes that is taking care of the server :)
>>
>> bottom line magic quotes rulez
>>
>> Dok
>>
>> ----- Original Message ----- From: "Steve Slater"
>> <slaterhandsonsecurity.com>
>> To: "DokFLeed" <dokfleeddokfleed.net>; <webappsecsecurityfocus.com>
>> Sent: Wednesday, October 11, 2006 3:11 AM
>> Subject: Re: Magic Quotes
>>
>>
>>
>>
>> -------------------------------------------------------------------------
>> Sponsored by: Watchfire
>>
>> Watchfire's AppScan is the industry's first and leading web application
>> security testing suite, and the only solution to provide comprehensive
>> remediation tasks at every level of the application. See for yourself.
>> Download a Free Trial of AppScan today!
>>
>> https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YTJ
>> --------------------------------------------------------------------------
>
> --
> Brad Lhotsky <lhotskybgrc.nia.nih.gov>
> NCTS Computer Specialist
> Phone: 410.558.8006
> "Freedom, Privacy, Security. Choose Two."
>
>

-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire was recently named the worldwide market leader in Web
application security assessment tools by both Gartner and IDC. Download a
free trial of AppScan today and see why more customers choose AppScan
then any other solution.

https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YTO
--------------------------------------------------------------------------

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]