Re: Notice about seconds overroll - S7K bug

From: Tonu Samuel (tonuat_private)
Date: Fri Sep 14 2001 - 11:27:24 PDT

Next message: Matthew Reams: "RE: Security Vulnerability with Microsoft Index Server 2.0(Sample file reveals file info, physical path etc)"

Previous message: Syed Mohamed A: "Security Vulnerability with Microsoft Index Server 2.0(Sample fil e reveals file info, physical path etc)"
In reply to: Robert Bihlmeyer: "Re: Notice about seconds overroll - S7K bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On 12 Sep 2001 12:05:13 +0200, Robert Bihlmeyer wrote:
> > In MySQL we suggested people to use quotation marks around integer
> > values.
> 
> Which won't protect you from '; attacks, of course. So why not just
> make sure that it is a real integer (ahem)? In Perl it would be as
> easy as adding zero.

I do not start fighting your flame as most it was just let say
"misinformed" stuff. And I do not know what is '; attack. There are two
separate things - one is closing strings with ' or ", other thing is
semicolon. 

1. Semicolon - this is not interpreted as MySQL as some special
character. Some people think that it is possible to do with it but they
are just confused. Semicolon is handled in MySQL command line client!
Because there is no ways to return multiple results to single query,
there is also no way to send two queries with single call. No semicolon
attacks.

2. ' or " can protect integers well when used properly. Assume that
there is an URL like http://something/show.php?id=10 and in PHP page it
is called like:

mysql_query("select * from table where id=".addslashes($id)); 

Intruder changes URL to http://something/show.php?id=10%20or%201=1%34
which changes command to: select * from table where id=10 or 1=1

I do not want go into more details as script kiddies also read this list
but this is many ways to use it. There is not much in MySQL we can do to
change this behaviour. The way you seem we suggest to avoid attacks and
you are ironic about is making it:

mysql_query("select * from table where id='".addslashes($id)."'"); 
which comes to:
select * from table where id='10 or 1=1'
or 
select * from table where id='10\' or 1=1'

And you prorably know what happens when do atoi() call on string? I see
no possibilty to go through this protection....

-- 
For technical support contracts, goto https://order.mysql.com/
   __  ___     ___ ____  __
  /  |/  /_ __/ __/ __ \/ /    Mr. Tonu Samuel <tonuat_private>
 / /|_/ / // /\ \/ /_/ / /__   MySQL AB, Security Administrator
/_/  /_/\_, /___/\___\_\___/   Hong Kong, China
       <___/   www.mysql.com

Next message: Matthew Reams: "RE: Security Vulnerability with Microsoft Index Server 2.0(Sample file reveals file info, physical path etc)"
Previous message: Syed Mohamed A: "Security Vulnerability with Microsoft Index Server 2.0(Sample fil e reveals file info, physical path etc)"
In reply to: Robert Bihlmeyer: "Re: Notice about seconds overroll - S7K bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Sep 14 2001 - 12:33:37 PDT