Bugtraq mailing list archives
Re: PHP Nuke <= 7.8 Multiple SQL Injections
From: hans <hans () lonki xs4all nl>
Date: Sat, 17 Sep 2005 00:18:58 +0200 (CEST)
On Fri, 16 Sep 2005, Matthias Jim Knopf wrote:
What do you gain from that? In what way would you think your advice did ANYTHING GOOD?
Could you please stop topposting? I had to read the complete thread to know what php*uke bug it was related to.
You did neither issue a "addslashes()" as appropriate for SQL-commands, nor did you explain, why a variable set by a POST or a COOKIE could be worse than anything you could give any URL by appending '?name=...' or '&name=...' (->GET vars)
Adding slashes, using register_globals, it's all bad.
These issues are due to a failure in the application to properly sanitize
'Sanitizing' input has always been a problem. Mandrake once supported phpnuke and therefor I commited a 11K line diff to them a few years back. That was to 'sanitize' only part of the problem, mostly some descent behaviour against the used dblayer. Let's stop whining about phppuke, and start using some user input validation. Hans -- <iemand> iemand heeft een gat gevonden in pdp's access.db? bel cnn http://blacklist.kernelnewbies.nl
Current thread:
- PHP Nuke <= 7.8 Multiple SQL Injections r . verton (Sep 12)
- Re: PHP Nuke <= 7.8 Multiple SQL Injections Paul Laudanski (Sep 15)
- Re: PHP Nuke <= 7.8 Multiple SQL Injections Matthias Jim Knopf (Sep 16)
- Re: PHP Nuke <= 7.8 Multiple SQL Injections Paul Laudanski (Sep 16)
- Re: PHP Nuke <= 7.8 Multiple SQL Injections Daniel Bonekeeper (Sep 19)
- Re: PHP Nuke <= 7.8 Multiple SQL Injections Paul Laudanski (Sep 19)
- Re: PHP Nuke <= 7.8 Multiple SQL Injections hans (Sep 19)
- Re: PHP Nuke <= 7.8 Multiple SQL Injections Matthias Jim Knopf (Sep 16)
- Re: PHP Nuke <= 7.8 Multiple SQL Injections Paul Laudanski (Sep 15)
- <Possible follow-ups>
- Re: PHP Nuke <= 7.8 Multiple SQL Injections evaders99 (Sep 15)
- Re: PHP Nuke <= 7.8 Multiple SQL Injections Paul Laudanski (Sep 16)