[EMAIL PROTECTED] wrote:
First how did that bad guy "execute" the query without hitting the
submit button or entering the captcha code and how did it bypass the
check function.
Your running queries before you do your captcha check in your code.
if (!isset($_POST['securityImageValue']) || !isset($_SESSION['strSec'])
|| md5($_POST['securityImageValue']) != $_SESSION['strSec'])
{
$page = $join_pages_num;
$add_on .= report_err ( _t("_SIMG_ERR") );
}
Is halfway down the page, and even after the code notices there is no
security image, it STILL keeps running and performing queries.
As for sending without hitting the submit, all forms have to post their
data to something, the submit button is just for a human to use.
I have tried running the query like registration.php?query but that
didn't work.
Try registration.php?page=1'INSERT but I would suppose that depends on
your server how it would end up dealing with that.
Any ideas about how I can reproduce this problem would greatly
appreciate and any suggestions about how to fix it would be even more
greatly appreciated. 8-)
I'm assuming you don't have the time/money to really rewrite your code
properly and have it commented so you can understand it.
As such, here are a couple lazy solutions:
Follow the instructions to download and install it from the FAQ
http://php-ids.org/faq/
Take their sample code and stick it at the top of the code you want to
protect.
Change these lines:
if (!$result->isEmpty()) {
// Take a look at the result object
echo $result;
}
Into
if (!$result->isEmpty()) {
// Take a look at the result object
if ($result->getImpact() > 5) {
// Being lazy hear, abort abort potential attack
// you really ought to be logging this stuff somewhere
exit;
}
}
Adjust the impact number(in my example 10) until you have a number that
catches attackers but not legitimate traffic.
Also modify the lazy solution and have it notify you in some manner,
log, email, whatnot about what it did.
Another lazy solution, if you have full control over your server and are
running Apache2, is to use mod_security http://www.modsecurity.org/
Both these solutions do nothing to fix your code, so when someone finds
a way to circumvent their detection algorithms your are still as
vulnerable as ever. Their just quick fixes until you can have your code
rewritten.
_______________________________________________
New York PHP Community Talk Mailing List
http://lists.nyphp.org/mailman/listinfo/talk
NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com
Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php
