![]() |
Very Big Sql Injection Hole
aghhh! injection? in a premium modification? >.<
Example: Warn.php?&do=ViewWarnings&id=1/ Input isnt escaped before being put into the sql query. Seriously, what the ****. A premium modification that doesn't even check the input :o I made a Fix: open warn.php find: Code:
// ####################################################################### Below that insert: Code:
//SQL-safe modification |
Quote:
|
Quote:
look uptop at the example i posted. |
Pimpery, not all of us have extreme experience in SQL or php or the works. From the example you show, I can assume two things :
1. The problems is that anyone can see the admin's warnings. 2. The slash at the end may allow hackers to insert code (for this I am not sure, but having spend some time reading articles I got containing the "SQL injection" phrase here, that's what I assume. I am going to spend some more time today, figuring out this whole issue, but what I fail to understand is the function you provided. So, please, instead of just posting a warning thread, saying VERY BIG HOLE WOLF, WOLF, you could spend some minutes helping me out understand how to close the hole and how to use that code. As I said, not all of us were born with that knowledge. Rgds |
In the Warning System (v3.1.9) in Warn.php, on line 332 you are running a potentially unsafe query (for example if a user enters a non-numerical input as the id variable). If you enter a string that doesn't start with a number (such as "foo") as the id the code will catch the problem on line 328-330, however if the string entered starts with a number (such as "3foo") then it will pass through the check fine.
In order to fix this: Before line 328-330 add: PHP Code:
PHP Code:
|
Quote:
Thanks for the details, much appreciated. I have already been working on this, since this morning, and I have globalized all the _GET or _POST variables. But I was not aware that you can use kist $id instead of $_GET['id'] So any variable entered in the globalize function, can then be used with the part withing the brackets, that's what I figure out from looking at the globalize code. Am I correct? And how do you differentiate if you have a _GET['do'] and a _POST['do']? Also, for STR variables, except from globalizing them (maybe using STR_NOHTML), is it also necessary to addslashes to them? Again, thanks for the input, sincerely appreciated. |
Quote:
PHP Code:
If you only want input from _GET, you use $_GET as the first parameter of globalize(), if you only want input from _POST you use $_POST. If you want input from both and don't care which one is used, you can use $_REQUEST. Quote:
|
Quote:
Also, I tried echoing an _GET variable, before and after the globalize command, and indeed the contents are different. Can I still use the _GET['xxx'] after the globalize, or is it a must that I should use $xxx? Tnx again |
Quote:
The first parameter of globalize is passed along as a reference, so the original variable is changed and you could continue to use $_GET['foo'] after globalizing it. However it is usually much less to write if you just use $foo instead and will make the code a bit more nicer looking. |
Quote:
Many thanks for this quite interesting tuitorial. Really very very helpful. I have applied your suggestions, and I'll release a new version of AWS in a while. Kind regards and many thanks |
All times are GMT. The time now is 11:07 AM. |
Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2025, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information | |
---|---|
|
|
![]() |
|
Template Usage:
Phrase Groups Available:
|
Included Files:
Hooks Called:
|