WebApp Sec mailing list archives

RE: Magic Quotes

From: "Matt Fisher" <mfisher () spidynamics com>
Date: Wed, 11 Oct 2006 11:16:58 -0400



The Santy worm used a simple double-encoded single tick to bypass Magic Quotes.  The real problem was the code: it then 
urldecoded the single-encoded tick at that point, but framework tricks like Magic Quotes are not the "end-all be-all" 
defense by any means.  In fact, Magic Quotes was built out ofpure functionality and not security according to an 
interview with Lerdoff (sp?) I had found. 



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Tomek Perlak
Sent: Tuesday, October 10, 2006 6:20 AM
To: webappsec () securityfocus com
Subject: Re: Magic Quotes


DokFLeed wrote:

(..)

if there is noway around Magic Quotes, then why is every developer 
against it ?
Dok

I guess it's because it adds a layer of complexity to your code?

Some servers have MQs on, some don't (and you might not have any control over that), so you have to code for two cases.

Also, if data sanitation is being done using other functions (such as mysql_real_escape_string if you happen to use
mysql), the MQs feature is a nuisance to deal with, to say the least.

// tp;

-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire has new programs available for pen testers and consultants to use AppScan in client engagements. AppScan is
the leading Web application assessment tool. Want to see it for yourself? Take a look today!

https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YSz
--------------------------------------------------------------------------

--
No virus found in this incoming message.
Checked by AVG Free Edition.
Version: 7.1.407 / Virus Database: 268.13.1/466 - Release Date: 10/7/2006

--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.407 / Virus Database: 268.13.1/466 - Release Date: 10/7/2006

-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web application
security testing suite, and the only solution to provide comprehensive
remediation tasks at every level of the application. See for yourself.
Download a Free Trial of AppScan today!

https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YTJ
--------------------------------------------------------------------------

Current thread:

Google code search Stephen de Vries (Oct 04)
- Re: Google code search Zapotek (Oct 05)
- Re: Google code search Ryan Barnett (Oct 05)
- Magic Quotes DokFLeed (Oct 09)
  - Message not available
    - Re: Magic Quotes DokFLeed (Oct 10)
  - Re: Magic Quotes Tomek Perlak (Oct 10)
    - RE: Magic Quotes Matt Fisher (Oct 11)
  - Re: Magic Quotes Steve Slater (Oct 11)
    - Re: Magic Quotes DokFLeed (Oct 15)
    - Re: Magic Quotes Brad Lhotsky (Oct 16)
    - Message not available
    - Re: Magic Quotes DokFLeed (Oct 17)
    - Re: Magic Quotes Brad Lhotsky (Oct 17)
    - Re: Magic Quotes DokFLeed (Oct 17)