Bugtraq mailing list archives
Re: PHP-Nuke SQL Injection Vulnerability
From: Predrag Damnjanovic <bugtraq () zastita co yu>
Date: Mon, 4 Nov 2002 16:39:06 +0100
David Endler wrote:
If the attacker's UID is 2, he or she can then launch the attack by requesting the following URL: modules.php?name=Your_Account&op=saveuser&uid=2&bio=%5c&EditedMessage= no&pass=xxxxx&vpass=xxxxx&newsletter=,+bio=0,+pass=md5(1)/* [...] +--[ bio = '\',
Well, this is impossible if "magic_quotes_gpc" is ON, because %5c will be passed as \\ , not as \ . Then we have: bio = '\\', and SQL injection is apsoluty impossible. I really don't know why PHP-Nuke not check magic_quotes. In my PHP engine first task is checking 'magic_quotes', and if it is OFF, then simply turn it ON: if (get_magic_quotes_gpc()==0) set_magic_quotes_runtime (1); This line should be at the top of init script of every PHP engine. P.S. 'magic_quotes' is by default ON on many web-hosting servers, so I think that this vulnerability will not affect all sites with PHP nuke. ...except if PHP Nuke explicitly turn magic_quotes off ?!? Regards, Predrag Damnjanovic
Current thread:
- Re: PHP-Nuke SQL Injection Vulnerability Predrag Damnjanovic (Nov 08)