Saturday February 11, 2012 @ 10:00:54 GMT+10    ( Weather:  n/a )
Home » Weblog Archives

Powered byD's Bloggie
Weblog Archive browse by category ...
 → Category :
Display order:
Page 2 of 2   ( 12 entries , showing 11 - 12 )
  Previous  1 2    
Raw data Post info Pure Ascii HeaderFriday September 30, 2005

PHP urldecode() - 8:20 pm
Coding , PHP , Security  -  poster DaRen

Don't use a urldecode on a $_GET variable !

Say you have a script:
script.php [ Hide ]
[ Highlight ] [ Text ]
<?php
// Don't do this !
$value = urldecode($_GET['something']);
?>


Exploit:
An attacker can make a query to that script script.php?something=%2527 [...]

The fact...

PHP "receives" this as %27, which your urldecode() will convert to ' (the singlequote). This may be CATASTROPHIC when injecting into SQL or some PHP functions relying on escaped quotes -- magic quotes rightly cannot detect this and will not protect you!

Eg. This exploit affects phpBB < 2.0.11


Solution:
Just an example of how you can make that more secure:
[ Hide ]
[ Highlight ] [ Text ]
<?php
$query = htmlspecialchars($_GET['query']);  
$query = str_replace('%2522', '', $query);  
$query = str_replace('%27', '', $query);  
$query = str_replace('%2527', '', $query);  
?>

[ Hide ]
[ Highlight ] [ Text ]
<?php
// good 
str_replace('&amp;', '&', htmlspecialchars($_GET['redirect']);
// bad
htmlspecialchars(urldecode($_GET['redirect']));
?>
|    entry link Permalink:Short   |  Comments ( 0 comment )   |  # 7    |
Raw data Post info Pure Ascii HeaderFriday September 30, 2005

PHP register_globals - 6:26 pm
Coding , PHP , Security  -  poster DaRen

There are numerous ways and possibility which makes your code unsecure when PHP register_globals directive is set to ON.

Below are few examples:

Unsecure Example 1 [ Hide ]
[ Highlight ] [ Text ]
  1. <?php
  3. $_SESSION['test'] = "original";
  4. $test = "modified";
  5. echo $_SESSION['test'];
  6.  
  7. // this will output "modified" instead of "original"
  8. ?>


Unsecure Example 2 [ Hide ]
[ Highlight ] [ Text ]
  1. <?php
  2. $_SESSION['test'] = $something;
  3. echo $_SESSION['test'];
  4.  
  5. // Point to the file in browser, with query append to the back:
  6. // test.php?something=modified
  7. // The string "modified" will be output
  8. ?>
|    entry link Permalink:Short   |  Comments ( 0 comment )   |  # 5    |
Page 2 of 2   ( 12 entries , showing 11 - 12 )
  Previous  1 2    
$ view_blog.php 2009.09.17 18:16:41 $
Lost? | XML/HTML sitemap | Contact
38.107.179.244 , 21 queries , 0.1023s
Gzip enabled , CSS compressed , JS compressed
Copyright © 2005-2011 Darren's Outpost