Home page logo

bugtraq logo Bugtraq mailing list archives

Re: TWIG SQL query bugs
From: "Ben Efros" <Ben () Efros com>
Date: Mon, 28 May 2001 12:53:58 -0700

Simply adding a quote is not the proper way to handle this in PHP.

Consider the following:
$IDNumber is user-supplied.

$query="SELECT field,otherfield from table where ID='" . $IDNumber . "'";

What if $IDNumber were to be " ' OR otherfield=325 OR ID=' " (ignore the
double quotes...)
Your new query would be:
$query="SELECT field,otherfield from table where ID=' ' OR otherfield=325 OR
ID=' '";

This could produce results that break the security of your application.

There are two workarounds:
 1) Force number fields to be numbers via type casting.  Example:
$query="SELECT field,otherfield from table where ID='" . ((int)$IDNumber) .
 2) Always use addslashes() to any form posted variable.  Example:
$query="SELECT field,otherfield from table where ID='" .
addslashes($IDNumber) . "'";

PHP used to have an option to automatically use addslashes() on any variable
passed to it via POST or GET.  Please see your PHP.INI file and set the
appropriate setting for "magic_quotes_gpc"

----- Original Message -----
From: "Luki Rustianto" <luki () karet org>
To: <bugtraq () securityfocus com>
Sent: Monday, May 28, 2001 7:00 AM
Subject: TWIG SQL query bugs

I can't find the person who really in charge on developing twig, so I
mail about this bug to the person who announce new version of twig
about two month ago.

Subject:              Unquoted SQL query => potential damage
Software package:     TWIG Webmail
Software Site:        HTTP://twig.screwdriver.net
Version tested:       2.6.2 and below (used with MySQL, didn't check
Platform:             Platform independent with PHP
Result:               Any user with valid email account can delete or
                      other user's data on mysql database.
Proof Of Concept:     Attached

Problem Description:
Unquoted SQL query string is a little mistake that could lead to potential
TWIG free PHP Webmail system is affected. As we know, mysql accept
query string if the field type is int, mediumint, tinyint or like.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]