|
|
Posted by Ignoramus20689 on 08/22/06 21:31
On Tue, 22 Aug 2006 11:56:19 -0400, Jerry Stuckle <jstucklex@attglobal.net> wrote:
> Ignoramus20689 wrote:
>> While trying to signon at a website, I got the following PHP code
>> back. I suppose that their apache was mistakenly returning php text
>> instead of executing it.
>>
>> <?php
>> if (!defined("INCLUDED"))
>> include "include.php3";
>>
>> $sql = mysql_query("select * from registrants where Account_Username='$username' AND Account_Password='$password'");
>> if (@mysql_num_rows($sql) == 0) {
>> include "registrationphp.html";
>> } else {
>> include "upcomingregister.php3";
>> }
>>
>> ?>
>>
>> I am not a PHP expert (I do mod_perl), but it would seem that this
>> code is likely to be a good candidate for SQL injection attack. Is
>> that the case? If so, I would write to them.
>>
>> Fo instance, I could supply a password between >>> and <<<:
>>
>>
>>>>>' or 1=1 or a = 'a<<<
>>
>>
>> and sign on as any known to me username (these are not hard to find
>> out, this is an auctioneer who displays high bidder id)
>>
>> i
>>
>
> It depends on what validation they've done on the userid and password.
> There may be some in the included file, for instance.
true
> Or, they could be running with register_globals being on and doing no
> validation, in which case this would be a serious security hole.
I do not know what typically may be in that include file, but I have a
feeling that possibly they simply sump the form contents into
variables.
> But the code's not being executed anyway, which means they have other
> problems, also :-)
Yeah. :")
Navigation:
[Reply to this message]
|