Thanks Kirk for the insight. The DB is offline at the moment and can not be
reached except for people connected to my LAN, which might explain something.
I will google this evening for PHP injections, and I greatly appreciate the
direction. Is there anything that i should be currently looking for withing
the DB or my box to see if someone has corrupted my tables or anything else to
that matter?
Cheers,
dre
Quoting Kirk Strauser <[EMAIL PROTECTED]>:
> At 2004-03-25T22:14:48Z, [EMAIL PROTECTED] writes:
>
> > <html>
> > <body>
> > <?php
> > $db = mysql_connect("localhost", "root");
> > mysql_select_db("dtrackLog",$db);
> > if ($submit) {
> > if ($ExID) {
> > $sql = "UPDATE TL_Exploit SET
> >
>
LogID='$LogID',OfficialName='$OfficialName',BugTraqID='$BugTraqID',PublishedDate='$PublishedDate',Type='$Type',Range='$Range',Damage='$Damage',OnlineReferences='$OnlineReferences',
> >
>
SoftwareAffected='$SoftwareAffected',NotVulnerable='$NotVulnerable',Symptoms='$Symptoms',HowTo='$HowTo',ObjectAffected='$ObjectAffected',Discussion='$Discussion',Credits='$Credits',WHERE
> > ExID=$ExID";
>
> You're relying on a major security flaw in PHP (injecting GET/POST data into
> the global namespace) for functionality. Also, your database queries are
> incredibly dangerous; google for "SQL injection" for more information.
>
> Basically, I could 0wn your website in about 5 minutes, and so could anyone
> else so motivated. I suggest you take this offline immediately until it can
> be fixed.
> --
> Kirk Strauser
> In Googlis non est, ergo non est.
>
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
