MonitorWare Knowledge Base

if( stristr($_POST['pass'], "'") || stristr($_POST['pass'], '"') || stristr($_POST['usr'], "'") || stristr($_POST['usr'], '"') )


A user can enter a '\' and cause invalid queries. Here is a possible fix:
if( stristr($_POST['pass'], "'") ||
stristr($_POST['pass'], '"') ||
stristr($_POST['usr'], "'") ||
stristr($_POST['usr'], '"') ||
stristr($_POST['usr'], '\\') ||
stristr($_POST['pass'], '\\') )

That should weed out an attempt to input \user\ and cause invalid queries. I'm sure people can think of more creative things to cause mysql injection exploits.

The '/' seems to be okay in mysql queries, so i don't see a need to filter it out.

Another sugestions, phpLogCon should log bad u/p attempts including time, date, and IP/dns name. Maybe something to think about for next release. Not that anyone would have this viewalbe to public anyway.

I usually login to ssh and forwad a port to an interal server to access high security stuff, but...

If there is a better place to post these mesages please let me know.

Hi,

thanks for letting us know. I myself are not an expert at php (politely said), but I've just asked my co-worker to fix that and also look at other implications. I think we'll have a fix by tomorrow.

Thanks for posting this!

Rainer

Sure no problem, I'm working on a few other ideas i have to improve phpLogCon. So far from what i see the software Rocks!!

I like the php code, sweet and simple. Very easy to fix/modify.

Did you get my message about the login problem?

Do you have a list of things to be done or areas that need of help? I'm pretty good with php, and can work 1 day a week on stuff for this. My website does not show that, but i have a completely different inhouse php inventory and PO system we (me and co-worker) wrote for the company i work for.

Hi,

this is Rainer again. I am just replying to this thread here, there are so many I am impressed with the work you have done. This is really great. phpLogCon is a bit starving on ressources currently and I would appreciate if you lend us a helping hand. I think it probably makes sense if you mail me at rgerhards@adiscon.com. As I already said, my php is really ... bad Thus, I am mostly working on syslog in general and rsyslogd as an actual open source project. Oh, and yes, I also try to keep things a little bit together, so that hopefully all the puzzle parts will make sense in the end.

Looking forward to hear back from you
Rainer

Will do

I tried to reproduce this issue on my testmachine first using PHP5 and PHP4.
It seems like that PHP is doing us a favor here, in all my tests the \ was replaced automatically with \\.
I added some debugoutput to verify this.

Anyway it will not hurt to add some extra checks for these input variables, so we will add them ASAP.
Btw which Version of PHP are you using?

regards,
Andre

I'm using php 5.0.5 and Mysql 5.0.15. When i ran the test, I used \user\ and was given an error. I did not see how far i could take the error to cause injections.


There might be a php config setting that differs on our systems such as magic quotes. I will have to look at this after 4:30pm this afternoon.

I was worng about the \ character. That just causes SQL errors. I think the character should be limited anyway. I sent Rainer a private message about another serious login bypass. I will not post the method here. It will need to be fixed!!!

I origannly though that the \ was needed in the sequence but was incorrect.

I've tested a bunch queries to my SQL server and could not cause a major problem other than incorrect sql query formating.