Posted by Jerry Stuckle on 08/22/06 15:56

Ignoramus20689 wrote:
> While trying to signon at a website, I got the following PHP code
> back. I suppose that their apache was mistakenly returning php text
> instead of executing it.
>
> <?php
> if (!defined("INCLUDED"))
> include "include.php3";
>
> $sql = mysql_query("select * from registrants where Account_Username='$username' AND Account_Password='$password'");
> if (@mysql_num_rows($sql) == 0) {
> include "registrationphp.html";
> } else {
> include "upcomingregister.php3";
> }
>
> ?>
>
> I am not a PHP expert (I do mod_perl), but it would seem that this
> code is likely to be a good candidate for SQL injection attack. Is
> that the case? If so, I would write to them.
>
> Fo instance, I could supply a password between >>> and <<<:
>
>
>>>>' or 1=1 or a = 'a<<<
>
>
> and sign on as any known to me username (these are not hard to find
> out, this is an auctioneer who displays high bidder id)
>
> i
>

It depends on what validation they've done on the userid and password.
There may be some in the included file, for instance.

Or, they could be running with register_globals being on and doing no
validation, in which case this would be a serious security hole.

But the code's not being executed anyway, which means they have other
problems, also :-)

--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================

[Back to original message]