Information Assurance
Bugtraq Analysis
RunCMS SQL Injection Exploit
back to bugtraq analyses page
|
Bugtraq (issue 2427) code snippet:
else if ( empty($_POST['message']) ) {
redirect_header("javascript:history.go(-1)", 2, _MD_ERRORMESSAGE);
exit();br>
}
else {
$sql = "SELECT * FROM ".$bbTable['forums']."
WHERE forum_id = ". $_POST['forum']."";
if (!$result = $db->query($sql)) {
redirect_header("index.php", 2, _MD_CANTGETFORUM);
exit();
}
I. Problem: SQL Injection
a) incorrect treatment of escape characters
b) loosely typed variables: e.g. a string vs. an integer
Example*:
"SELECT * FROM users WHERE name = '" + userName + "';"
Possible Exploits:
userName = a';
II. Prevention: Alternatives?
a) Prevent user input
b) allow user to choose input from pre-selected options (i.e. dropdowns)
c) or...
III. Prevention: Sanitize input
a) escape input variables
ensures dangerous characters (quotes, EOLs, etc) are rendered harmless. This is a blacklisting technique, however, so you may miss something.
b) use parameters
stmt = conn.PrepareStmt(“select * from arrested_dev where name = ?”, name = prepString(“MichaelBluth”);
many web-oriented languages have their own sanitizing libraries (Ruby, PHP, etc.)
*SQL Injection example adapted from: http://en.wikipedia.org/wiki/Sql_injection
|