must read for server ops: vulnerability in charmover
I audited the stock charmover code and found a problem. If magic quotes is disabled it is possible to inject SQL, and since the utility requires UPDATE privelages on its acct this could be pretty bad.
the two variables plugged into the sql statements that come from user input are login server name and character name. In the stock build everywhere this occur come with single quotes around them. If magic quotes are disabled it would allow a user to inject a quote to get out of that particular literal. If you have modified your charmover and have a user passed variable that is plugged into one of your sql statements,and that variable is not surrounded by quotes, OR you have magic quotes disabled you should fix it quick. If you are not sure one way or another you need to apply something like the code below. FYI, magic quotes escapes any escape or quote in a user passed variable. The code below will add escapes to a variable if magic quotes is off. Code:
if(!get_magic_quotes_gpc()) $lsusername = addslashes($_POST['lsusername']); |
I guess i could explain further... say you got
Code:
$name = $_POST['name']; Code:
blahblahblah'; DROP ALL TABLES;-- Code:
SELECT * FROM table WHERE name = 'blahblahblah'; DROP ALL TABLES;--' Code:
SELECT * FROM table WHERE name = 'blahblahblah/'; DROP ALL TABLES;--' I don't mean any harm to anyones database by posting this, i'm only posting it cause there is a work around, or so you can take the tool down if you are worried. Probably everyone will find that they aren't vulnerable since its default behavior, but need to be aware that when PHP6 comes out that magic quotes will be no longer there as far as i know. As far as I know the code up top will still work in php6. Sometime in the next few week or next month I will be rewriting the tool from the ground up and including it in magelo with a good ammount of security on it. Sorry it will be slow to get out, i'm changing alot of core features of the magelo clone and want to really test it well. |
Quote:
However, you could attempt to discover an admin password from the account table using subqueries & a bit of trial an error. As for a fix, I don't know that I'd recommend just depending on escaping quotes, but rather validating the actual submitted value. Specifically, since we're just looking at a name, there shouldn't be any spaces, special characters, numbers, etc. So, we could do a simple Regular Expression: Code:
[A-Za-z]+ |
correct me if i'm wrong... but php just passes the string to mysql and it decides what to do with it... why would php validate database input, and I aggree the alla clone is a mess for validation.
What i've been doing in the mag clone is only allowing alpha characters in there using a php function, similar to your regex. That was the same plan I had for character name... as for username I wouldn't mind getting a list of available characters from the devs here. |
yea, from php.net
Quote:
|
Is this stuff we really want to discuss in an open forum?
|
Quote:
|
Quote:
a) Fix them. b) Learn from them. c) Get server ops to update their code. |
plus the people who would use this know how to do it already most likely.
|
Quote:
|
AndMetal is correct even with access to only 1 query there are still several things that can be abused
|
As a work around i came up with this function, dunno maybe it will help someone else
PHP Code:
|
All times are GMT -4. The time now is 12:27 AM. |
Powered by vBulletin®, Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.