Re: TWIG SQL query bugs

From: Ben Efros (Benat_private)
Date: Mon May 28 2001 - 12:53:58 PDT

Next message: Eugene Tsyrklevich: "Re: Webmin Doesn't Clean Env (root exploit)"

Previous message: Magosányi: "Re: insecure signal handler design"
In reply to: Luki Rustianto: "TWIG SQL query bugs"
Reply: Ryan Fox: "Re: TWIG SQL query bugs"
Reply: kj: "Re: TWIG SQL query bugs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Simply adding a quote is not the proper way to handle this in PHP.

Consider the following:
$IDNumber is user-supplied.

$query="SELECT field,otherfield from table where ID='" . $IDNumber . "'";

What if $IDNumber were to be " ' OR otherfield=325 OR ID=' " (ignore the
double quotes...)
Your new query would be:
$query="SELECT field,otherfield from table where ID=' ' OR otherfield=325 OR
ID=' '";

This could produce results that break the security of your application.

There are two workarounds:
 1) Force number fields to be numbers via type casting.  Example:
$query="SELECT field,otherfield from table where ID='" . ((int)$IDNumber) .
"'";
 2) Always use addslashes() to any form posted variable.  Example:
$query="SELECT field,otherfield from table where ID='" .
addslashes($IDNumber) . "'";

PHP used to have an option to automatically use addslashes() on any variable
passed to it via POST or GET.  Please see your PHP.INI file and set the
appropriate setting for "magic_quotes_gpc"


----- Original Message -----
From: "Luki Rustianto" <lukiat_private>
To: <bugtraqat_private>
Sent: Monday, May 28, 2001 7:00 AM
Subject: TWIG SQL query bugs


> I can't find the person who really in charge on developing twig, so I
> mail about this bug to the person who announce new version of twig
> about two month ago.
>
>
> --------------------------------------------------------------------------
> Subject:              Unquoted SQL query => potential damage
> Software package:     TWIG Webmail
> Software Site:        http://twig.screwdriver.net
> Version tested:       2.6.2 and below (used with MySQL, didn't check
others)
> Platform:             Platform independent with PHP
> Result:               Any user with valid email account can delete or
change
>                       other user's data on mysql database.
> Proof Of Concept:     Attached
>
> Problem Description:
> =====================
> Unquoted SQL query string is a little mistake that could lead to potential
> damage.
> TWIG free PHP Webmail system is affected. As we know, mysql accept
unquoted
> query string if the field type is int, mediumint, tinyint or like.
>
>

Next message: Eugene Tsyrklevich: "Re: Webmin Doesn't Clean Env (root exploit)"
Previous message: Magosányi: "Re: insecure signal handler design"
In reply to: Luki Rustianto: "TWIG SQL query bugs"
Reply: Ryan Fox: "Re: TWIG SQL query bugs"
Reply: kj: "Re: TWIG SQL query bugs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed May 30 2001 - 11:45:26 PDT