- Feature Articles
- CodeSOD
- Error'd
- Forums
-
Other Articles
- Random Article
- Other Series
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
I'll get flamed for this, but
You don't even really need the tweaks for this to be somewhat reasonable code, just make a few not unreasonable assumptions. First, nothing says there's not additional validation code on the server side. Secondly, assume that the code is a few years old (php has been around 15 years now), so it predates widespread browser acceptance of ajax and it's on an intranet with overseas employees on very slow expensive connections: in that case, it's often much faster to send a lot of data at once rather than force the user to re-establish a connection and post back the page. (2000 names is a bit much, but the developer could easily have said you must re-code if the user count goes over 100 and that was never done).
Publishing the usernames is a security hazard, but not much of one if the entire list is publicly available anyway, which is pretty common. It's possible there's a giant wtf here, it's also possible this was a reasonable solution to a real problem, although it certainly needs updating like lots of code does after a decade.
Captcha is "eros", I'm feeling lucky.
Admin
This is a call for little Bobby Tables!!
Admin
Meh. One app I had to fix let me login as ' OR 1=1 --
Not the regular interface, that one did sanitize the login field. The one that let me use that "login" ... was the administrative section.
Admin
will return the first user, which usually is an admin.
Addendum (2010-11-10 08:53): Ignore this comment -- I forgot what was written in the article.
Admin
Looks like someone did not read the article... The only mentioned SQL in this article was $SQL=mysql_query("SELECT * FROM users"); and NOTHING more... So if i can see clearly, there is NO text concatanation to create sql query.
Which means, that ANYONE saying, that this app is vulnarable from !SQL! injection (just by reading this article) is wrong.... BTW I did not said CODE injection or any other potentional security threat...
Admin
Admin
This brings back memories..
Back when doing web stuff a decade ago (yes, I'm old) I found it interesting that parts of the single source file was actually executed on three different computers - the db server, the php server, and naturally the browser.
This was, naturally, difficult for some developers to understand, and as such I'd find folk trying to run sql on the browser or javascript on the db server..
Admin
Admin
Admin
Look at the most user way of writing MySQL in PHP: "SELECT * FROM users WHERE user = '$user' AND pass = '$pass'"
It is exploited using ' OR ''=' as password; keep in mind that AND has precedence over OR in MySQL: "SELECT * FROM users WHERE (user = 'admin' AND pass = '') OR ''=''"
Admin
I saw this article and wanted. Because I've seen the same thing in the wild only worse. The code I saw was almost exactly the same, but spit out email addresses...and it was for a doctor's office website.
Admin
+1