WebApp Sec mailing list archives

Re: Magic Quotes

From: "DokFLeed" <dokfleed () dokfleed net>
Date: Thu, 12 Oct 2006 05:14:20 +0400

such a simple SQL like
"SELECT * from USERS WHERE id =$id";
can lead to a total hack of the SERVER not just the web application.
so far the only thing keeping it from happening is the magic quotes,
so even with a dumb programmer, the server is safe coz of magic quotes,
why is it going to be removed in php6 !!!!
if you can insert your own PHP code into the database then

run a select to dump the info to a file on the server using INTO OUTFILE'/home/z.php'as you can see the problem right now is the ' in the OUTFILE syntax, and itis magic quotes that is taking care of the server :)


bottom line magic quotes rulez

Dok

----- Original Message -----From: "Steve Slater" <slater () handsonsecurity com>

To: "DokFLeed" <dokfleed () dokfleed net>; <webappsec () securityfocus com>
Sent: Wednesday, October 11, 2006 3:11 AM
Subject: Re: Magic Quotes

At 04:00 AM 10/06/06, DokFLeed wrote:

if there is noway around Magic Quotes, then why is every developer againstit ?
Dok


You can often get around it, depending upon the app and the query.

Here is one that works...or at least did work at the time. It's prettyold:


http://packetstormsecurity.nl/0311-exploits/phpBB206.txt

What if your query uses a numeric query value? Then there is
no quote needed to perform an injection. For example:

SELECT * from db.table where column = 1100

What if I change 1100 to: -9999 union select * from whatever.whatever

(No quotes needed here...)

Just give your team an example of how prepared statements work
and it won't take more than an extra minute to copy it for each new DB
query. Then you don't have to worry about it.

Steve



==================================================

Steve Slater
President

Security Compliance Corporation
120 Village Square, Suite 76
Orinda, CA 94563
(866) 657-4550

http://www.securitycompliancecorp.com
slater () securitycompliancecorp com



-------------------------------------------------------------------------
Sponsored by: Watchfire

Watchfire's AppScan is the industry's first and leading web applicationsecurity testing suite, and the only solution to provide comprehensiveremediation tasks at every level of the application. See for yourself.Download a Free Trial of AppScan today!


https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YTJ
--------------------------------------------------------------------------

Current thread:

Google code search Stephen de Vries (Oct 04)
- Re: Google code search Zapotek (Oct 05)
- Re: Google code search Ryan Barnett (Oct 05)
- Magic Quotes DokFLeed (Oct 09)
  - Message not available
    - Re: Magic Quotes DokFLeed (Oct 10)
  - Re: Magic Quotes Tomek Perlak (Oct 10)
    - RE: Magic Quotes Matt Fisher (Oct 11)
  - Re: Magic Quotes Steve Slater (Oct 11)
    - Re: Magic Quotes DokFLeed (Oct 15)
    - Re: Magic Quotes Brad Lhotsky (Oct 16)
    - Message not available
    - Re: Magic Quotes DokFLeed (Oct 17)
    - Re: Magic Quotes Brad Lhotsky (Oct 17)
    - Re: Magic Quotes DokFLeed (Oct 17)