ID: 20124 Updated by: [EMAIL PROTECTED] Reported By: [EMAIL PROTECTED] -Status: Feedback +Status: Bogus Bug Type: IIS related Operating System: Win2k PHP Version: 4.2.3 New Comment:
Sorry, but your problem does not imply a bug in PHP itself. For a list of more appropriate places to ask for help using PHP, please visit http://www.php.net/support.php as this bug system is not the appropriate forum for asking support questions. Thank you for your interest in PHP. You should validate user passed input before inserting it into your SQL queries. Previous Comments: ------------------------------------------------------------------------ [2002-10-27 14:24:04] [EMAIL PROTECTED] What exactly you think the bug is here? And have you read this ever: http://www.php.net/manual/en/security.cgi-bin.php ------------------------------------------------------------------------ [2002-10-27 13:04:42] [EMAIL PROTECTED] During a Pentest, I was searching for sql injection, and noticed that PHP returned the following error http://www.victim.com/cgi-bin/ecust.cfg/php.exe/enduser/std_adp.php?p_admin=1&p_faqid=510' Internal Error -------------------------------------------------------------------------------- File: odbc2.c Line: 211 In Fcn.: sql_prepare Called Fcn.: SQLPrepare() returned -1 Description: 42000: [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the character string ')'. 42000: [Microsoft][ODBC SQL Server Driver][SQL Server]Line 7: Incorrect syntax near ')'. 42000: [Microsoft][ODBC SQL Server Driver][SQL Server]Statement(s) could not be prepared. SQL STMT: select f.faq_id, f.faq_group_id, f.lang_id, f.title, f.description, f.solution, f.created, f.updated, l1.label, l2.label from faqs f left outer join labels l1 on (f.access_id = l1.label_id) and (11 = l1.tbl) and (f.lang_id = l1.lang_id) left outer join labels l2 on (f.status = l2.label_id) and (19 = l2.tbl) and (f.lang_id = l2.lang_id) ,statuses s where (f.status = s.code) and (s.type_id = 4) and (f.access_id in (1, 2)) and (f.faq_id = 510') Indicating SQL injection. By entering http://www.victim.com/cgi-bin/ecust.cfg/php.exe/enduser/std_adp.php?p_admin=1&p_faqid=510'A You will notice in that the returned error message shows the 'A Internal Error -------------------------------------------------------------------------------- File: odbc2.c Line: 211 In Fcn.: sql_prepare Called Fcn.: SQLPrepare() returned -1 Description: 42000: [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the character string 'A)'. 42000: [Microsoft][ODBC SQL Server Driver][SQL Server]Line 7: Incorrect syntax near 'A)'. 42000: [Microsoft][ODBC SQL Server Driver][SQL Server]Statement(s) could not be prepared. SQL STMT: select f.faq_id, f.faq_group_id, f.lang_id, f.title, f.description, f.solution, f.created, f.updated, l1.label, l2.label from faqs f left outer join labels l1 on (f.access_id = l1.label_id) and (11 = l1.tbl) and (f.lang_id = l1.lang_id) left outer join labels l2 on (f.status = l2.label_id) and (19 = l2.tbl) and (f.lang_id = l2.lang_id) ,statuses s where (f.status = s.code) and (s.type_id = 4) and (f.access_id in (1, 2)) and (f.faq_id = 510'A) To test for the poosibility of a Format String I entered the following http://victim.com/cgi-bin/ecust.cfg/php.exe/enduser/std_adp.php?p_admin=1&p_faqid=510'%x%x%x%x You will note from the Error logs that a format string bug is present in Four different fields Internal Error -------------------------------------------------------------------------------- File: odbc2.c Line: 211 In Fcn.: sql_prepare Called Fcn.: SQLPrepare() returned -1 Description: 42000: [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the character string '51275075127680)'. 42000: [Microsoft][ODBC SQL Server Driver][SQL Server]Line 7: Incorrect syntax near '10081b6e0ffffffffdf1eb0)'. 42000: [Microsoft][ODBC SQL Server Driver][SQL Server]Statement(s) could not be prepared. SQL STMT: select f.faq_id, f.faq_group_id, f.lang_id, f.title, f.description, f.solution, f.created, f.updated, l1.label, l2.label from faqs f left outer join labels l1 on (f.access_id = l1.label_id) and (11 = l1.tbl) and (f.lang_id = l1.lang_id) left outer join labels l2 on (f.status = l2.label_id) and (19 = l2.tbl) and (f.lang_id = l2.lang_id) ,statuses s where (f.status = s.code) and (s.type_id = 4) and (f.access_id in (1, 2)) and (f.faq_id = 510'12fbe8cf7124b4a018b46030) This format string bug is NOT dependent on there being SQL injection present. To get the format string you just have to cause an error example http://www.victim.com/cgi-bin/ecust.cfg/php.exe/enduser/std_adp.php?p_admin=1&p_faqid=510> This obviously indicates that the Format String is in the Error Handling process. Regards Mark Litchfield www.ngssoftware.com Tel +44 1241 431367 email: [EMAIL PROTECTED] ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=20124&edit=1
