From: DokFLeed (dokfleeddokfleed.net)
Date: Tue Oct 17 2006 - 12:57:44 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The fact remains most programmers will skip security sanitation even if they
know how to do it, maybe they don't have time till the "due date":)
somehow, I liked the magic_quotes , I thought it was something that PHP
added , stripping it wasn't that hard, just calling some extra procedures,
so for the ones who care, there was a work around, and for the ones who
don't, it saved their servers.
I would feel more confident knowing that my server can stand against some
website with a vulnerable application, which I have to offer him hosting
anyway.
I worked for the past 2 years on a project
http://freshmeat.net/projects/labrova/ , the new version NG should be
released by 2007, to help programmers who don't care about security.

though the discussion is diverted, my question remains, is there a way to
get around the magic quotes ?

cheers
DokFLeed

----- Original Message -----
From: "Brad Lhotsky" <lhotskybmail.nih.gov>
To: "DokFLeed" <dokfleeddokfleed.net>
Cc: <webappsecsecurityfocus.com>
Sent: Tuesday, October 17, 2006 7:01 PM
Subject: Re: Magic Quotes

> Well, it's good to hear that you're the one doing the pentesting.
> However, the MagicQuotes does not solve the problem, it bandaids it.
> The problem is bad programming, and regardless of the Magic Quotes, if
> the programmers developing the app are writing code like that, the
> chances are, Magic Quotes isn't going to take it from "insecure" to
> "Secure", it'll just slide it ever so trivially closer to "secure".
>
> Rest assured, that there will be projects like Hardened-PHP and
> mod_security that will work with PHP6 to bandaid fix most common
> programmer errors. It's those interesting logic problems that people
> who write "Select * from table where field=$value" introduce that will
> ultimately leave the app insecure and open to attack.
>
> DokFLeed wrote:
>> Hi,
>> I think you got my email wrong, this code isn't what I wrote, this code
>> is a sample of a careless programmer who does not care about security
>> issues, and fairly weak in development itself, however, you can not
>> compromise his server because it has magic quotes on.
>> I have done lots of pen-testing and came across many websites, that even
>> if they are hacked, the server is saved because of magic quotes.
>> I hope that explains my argument.
>>
>> so let me put it this way, since the discussion moved from the How to
>> Why.
>> with a vulnerable weak code like that, and magic quotes are on, how can
>> you get access to the server, knowing that you can inject to SELECT,
>> INSERT statements , again with magic quotes on!
>>
>> cheers
>> DokFLeed
>>
>>
>> ----- Original Message ----- From: "Brad Lhotsky"
>> <lhotskybgrc.nia.nih.gov>
>> To: "DokFLeed" <dokfleeddokfleed.net>
>> Cc: <webappsecsecurityfocus.com>; "Steve Slater"
>> <slaterhandsonsecurity.com>
>> Sent: Tuesday, October 17, 2006 1:21 AM
>> Subject: Re: Magic Quotes
>>
>>
>
> --
> Brad Lhotsky <lhotskybgrc.nia.nih.gov>
> NCTS Computer Specialist
> Phone: 410.558.8006
> "Freedom, Privacy, Security. Choose Two."
>
>

-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire was recently named the worldwide market leader in Web
application security assessment tools by both Gartner and IDC. Download a
free trial of AppScan today and see why more customers choose AppScan
then any other solution.

https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YTO
--------------------------------------------------------------------------

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]