Hi folks,
I don't know if everyone ever knew this, but I haven't been able to
find anything about this, anywhere...
odbc_execute has a very dangerous 'feature'. I would like to call it
a bug, because someone has implemented it on purpose I should call
it a feature...
odbc_execute takes two arguments; the odbc result-ID, and
an array containing the parameters for this statement. So far so
good. Works perfectly. In the parameters you can put any data. Any
data! So you can enter characters like eg. &, *, %... you name it.
You can also enter single quotes ('). Nice. Noop... not nice. If you
put a single quote at the start of the parameter and at the end PHP
does something very scary... it reads the _file_(!) and stores it in
the database. So if you would have a parameter:
'myname'
you would get an error telling you that the file "myname" couldn't
be opened. But... if you use this parameter:
'/etc/passwd'
No problem! The contents of your password file is stored in the
database. Any file readable for your webserver can be 'used' this
way. Any file!
So, imagine you have some site containing a textarea input in the
form, some user can easily type:
'/etc/passwd'
and then submit the form. When you also have the possibility on this
site for the user to take a look at the data he entered (and this is
a very common feature), he gets to see the contents of your password
file. And he can do this with any file(!!!!). As long as it's
readable for the webserver, users can very easily get the contents
of the file!
And... is it documented? NO!!!! Nowhere. Not the mailinglists, not
the documentation, not the bugreport, not even in the sources
itself. It's just there!
Some security huh?!
--
* R&zE:
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
