Security Basics mailing list archives
Re: Overwriting an uninitialized local variable in PHP
From: Anton Dobrin <anton.dobrin () gmail com>
Date: Thu, 22 Feb 2007 23:39:31 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You do realize the code has a operation - critical mistake in it, right? Robert Larsen wrote:
Kellox wrote:A PHP script looks like this: $sort_mode = $_GET['sort']; if($sort_mode = 'ascendend') $query = "...."; else if($sort_mode = 'descendend') $query = "...."; ... mysql_query($query) or die();My question is if there is a way to "initialize" the variable $query myself as an attacker from the outside, so that I can write my on SQL query.Yes. If PHP has been configured with "register_globals = On" or it is an old version where this is the default you can do something like this: http://vulnerablesite.com/vulnerable_script.php?sort=undefined&query=select username, password from users --------------------------------------------------------------------------- This list is sponsored by: BigFix If your IT fails, you're out of business - or worse. Arm your enterprise with BigFix, the single converged IT security and operations engine. BigFix enables continuous discovery, assessment, remediation, and enforcement for complex and distributed IT environments in real-time from a single console. Think what's next. Think BigFix. http://ad.doubleclick.net/clk;82309979;15562032;o?http://www.bigfix.com/ITNext/ ---------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (MingW32) iD8DBQFF3nADaB/XS7qurU0RAqfvAJ0WXBC2dMz1WHRZ2LyGY8upRvU7CgCeLtA5 GkcU0IASKpdWW9b9qF9jWN4= =/cgl -----END PGP SIGNATURE----- --------------------------------------------------------------------------- This list is sponsored by: BigFix If your IT fails, you're out of business - or worse. Arm your enterprise with BigFix, the single converged IT security and operations engine. BigFix enables continuous discovery, assessment, remediation, and enforcement for complex and distributed IT environments in real-time from a single console. Think what's next. Think BigFix. http://ad.doubleclick.net/clk;82309979;15562032;o?http://www.bigfix.com/ITNext/ ---------------------------------------------------------------------------
Current thread:
- ssh key authentication Jorge JJ (Feb 20)
- Re: ssh key authentication Kelly Martin (Feb 20)
- Overwriting an uninitialized local variable in PHP Kellox (Feb 21)
- Re: Overwriting an uninitialized local variable in PHP Tyler Krpata (Feb 22)
- Re: Overwriting an uninitialized local variable in PHP Robert Larsen (Feb 22)
- Re: Overwriting an uninitialized local variable in PHP Anton Dobrin (Feb 23)
- Overwriting an uninitialized local variable in PHP Kellox (Feb 21)
- Re: ssh key authentication Kelly Martin (Feb 20)
- Re: ssh key authentication Robert Larsen (Feb 21)