Registrations to Open-AudIT forums are now closed. To ask any new questions please visit Opmantek Community Questions.

Open-AudIT

What's on your network?
It is currently Fri Mar 29, 2024 1:35 am

All times are UTC + 10 hours




Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 3 posts ] 
Author Message
 Post subject: SQL injection
PostPosted: Mon Nov 13, 2006 11:19 am 
Offline
Newbie

Joined: Mon Nov 13, 2006 10:13 am
Posts: 9
Another security bug thats very prevalent is SQL injection. Just pick any variable used in list.php or system.php ect for an SQL statement and drop in your own query. Best one to use is the "dir" variable as it finishes the query so its easy to make it something like:

http://<site>/openaudit/list.php?dir=ASC;delete * from.........

This combined with the password bypass vulnerability gives a user unrestricted access to your database:

http://<site>/openaudit/list.php?page=add_pc&dir=ASC;drop .......

Obviously, this is really dangerous. Filtering of the _REQUEST, _POST, and _GET variables are required and can be done in include.php. Just a quick example:

[code]
foreach( array_keys($_REQUEST) as $key ) {
// allow variables to have 0-9 and a-z with underscores and dashes
if( !preg_match("/^[0-9a-z_-]+$/i", $_REQUEST[$key] ) ) {
print("Invalid characters found in \"$key\". Terminating...<br>");
die();
}
}[/code]


Top
 Profile  
Reply with quote  
 Post subject:
PostPosted: Mon Nov 13, 2006 11:34 am 
Yes, that is very bad. If you have some time, feel free to submit patches for this! The plan is to implement a db abstraction such as pear::MDB2, which may fix some things, but yeah, this shouldn't happen. Not to mention, if you look elsewhere in the code, actual SQL queries are passed as vars!! Some of the code has not been given the oversight it has needed. Thanks much, hopefully we can get this fixed before the new year!


Top
  
Reply with quote  
 Post subject:
PostPosted: Mon Nov 13, 2006 12:07 pm 
Offline
Newbie

Joined: Mon Nov 13, 2006 10:13 am
Posts: 9
I've used PHPLIB since it was one of the only abstraction layers back in 2000. Solid, small, works well. But yea if I get time I'm going to work on this project a bit and submit some patches. I really like its usefulness!


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 3 posts ] 

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group