Home page logo
/

basics logo Security Basics mailing list archives

Re: Overwriting an uninitialized local variable in PHP
From: Anton Dobrin <anton.dobrin () gmail com>
Date: Thu, 22 Feb 2007 23:39:31 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

You do realize the code has a operation - critical mistake in it, right?

Robert Larsen wrote:
Kellox wrote:

A PHP script looks like this:

$sort_mode = $_GET['sort'];
if($sort_mode = 'ascendend') $query = "....";
else if($sort_mode = 'descendend') $query = "....";
...
mysql_query($query) or die();


My question is if there is a way to "initialize" the variable $query
myself as an attacker from the outside, so that I can write my on SQL
query.

Yes. If PHP has been configured with "register_globals = On" or it is an
old version where this is the default you can do something like this:
http://vulnerablesite.com/vulnerable_script.php?sort=undefined&query=select
username, password from users

---------------------------------------------------------------------------
This list is sponsored by: BigFix

If your IT fails, you're out of business - or worse.  Arm your 
enterprise with BigFix, the single converged IT security and operations 
engine. BigFix enables continuous discovery, assessment, remediation, 
and enforcement for complex and distributed IT environments in real-time 
from a single console.
Think what's next. Think BigFix. 

http://ad.doubleclick.net/clk;82309979;15562032;o?http://www.bigfix.com/ITNext/
---------------------------------------------------------------------------


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)

iD8DBQFF3nADaB/XS7qurU0RAqfvAJ0WXBC2dMz1WHRZ2LyGY8upRvU7CgCeLtA5
GkcU0IASKpdWW9b9qF9jWN4=
=/cgl
-----END PGP SIGNATURE-----

---------------------------------------------------------------------------
This list is sponsored by: BigFix

If your IT fails, you're out of business - or worse.  Arm your 
enterprise with BigFix, the single converged IT security and operations 
engine. BigFix enables continuous discovery, assessment, remediation, 
and enforcement for complex and distributed IT environments in real-time 
from a single console.
Think what's next. Think BigFix. 

http://ad.doubleclick.net/clk;82309979;15562032;o?http://www.bigfix.com/ITNext/
---------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]