WebApp Sec mailing list archives
RE: Magic Quotes
From: "Matt Fisher" <mfisher () spidynamics com>
Date: Wed, 11 Oct 2006 11:16:58 -0400
The Santy worm used a simple double-encoded single tick to bypass Magic Quotes. The real problem was the code: it then urldecoded the single-encoded tick at that point, but framework tricks like Magic Quotes are not the "end-all be-all" defense by any means. In fact, Magic Quotes was built out ofpure functionality and not security according to an interview with Lerdoff (sp?) I had found. -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Tomek Perlak Sent: Tuesday, October 10, 2006 6:20 AM To: webappsec () securityfocus com Subject: Re: Magic Quotes DokFLeed wrote:
(..) if there is noway around Magic Quotes, then why is every developer against it ? Dok
I guess it's because it adds a layer of complexity to your code? Some servers have MQs on, some don't (and you might not have any control over that), so you have to code for two cases. Also, if data sanitation is being done using other functions (such as mysql_real_escape_string if you happen to use mysql), the MQs feature is a nuisance to deal with, to say the least. // tp; ------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire has new programs available for pen testers and consultants to use AppScan in client engagements. AppScan is the leading Web application assessment tool. Want to see it for yourself? Take a look today! https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YSz -------------------------------------------------------------------------- -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.407 / Virus Database: 268.13.1/466 - Release Date: 10/7/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.407 / Virus Database: 268.13.1/466 - Release Date: 10/7/2006 ------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire's AppScan is the industry's first and leading web application security testing suite, and the only solution to provide comprehensive remediation tasks at every level of the application. See for yourself. Download a Free Trial of AppScan today! https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YTJ --------------------------------------------------------------------------
Current thread:
- Google code search Stephen de Vries (Oct 04)
- Re: Google code search Zapotek (Oct 05)
- Re: Google code search Ryan Barnett (Oct 05)
- Magic Quotes DokFLeed (Oct 09)
- Message not available
- Re: Magic Quotes DokFLeed (Oct 10)
- Message not available
- Re: Magic Quotes Tomek Perlak (Oct 10)
- RE: Magic Quotes Matt Fisher (Oct 11)
- Re: Magic Quotes Steve Slater (Oct 11)
- Re: Magic Quotes DokFLeed (Oct 15)
- Re: Magic Quotes Brad Lhotsky (Oct 16)
- Message not available
- Re: Magic Quotes DokFLeed (Oct 17)
- Re: Magic Quotes Brad Lhotsky (Oct 17)
- Re: Magic Quotes DokFLeed (Oct 17)