PEAK XOOPS - Action if an isolated comment-in is found 
Action if an isolated comment-in is found
- You cannot open a new topic into this forum
- Guests cannot post into this forum
Previous post
-
Next post
|
Parent
-
Children.1
|
Posted on 2005/4/26 18:07
Dave_L
From: Virginia, USA
Posts: 35
From: Virginia, USA
Posts: 35
The "Action if an isolated comment-in is found" feature is annoying. Here's an example of its effect:
Quote:
1) Is there any way of making a post like that without getting the */ added at the end?
2) Is that check really necessary? How could someone exploit that?
Quote:
Quote:Gnome Nautilus file manager
I suggest using the shell copy command instead:$ cp -a /path/to/extracted/archive/* /path/to/xoops/installation
Just make sure the paths are correct, that you have permission to overwrite all the files, and backup the XOOPS directory first.*/
1) Is there any way of making a post like that without getting the */ added at the end?
2) Is that check really necessary? How could someone exploit that?
Votes:0
Average:0.00
Previous post
-
Next post
|
Parent
-
No child
|
Posted on 2005/4/28 5:25
GIJOE
Posts: 4110
Posts: 4110
hi Dave.
Quote:Turn off the option 
If XOOPS_DB_PREFIX is not known by attackers, there are few threat by SQL injection attack.
I think the better argorithm like POST checking will be ok if some "invalid string as SQL" found before the first of '/*'
Quote:
Isolated '/*' makes easier SQL Injection.
eg)
the vulnerability:
"SELECT title FROM ".$xoopsDB->prefix("foo")." WHERE storyid='{$_GET['id']}' AND status>0" ;
Attacker can do:
?id=1'+UNION+SELECT+password+FROM+xoops_users+ORDER+BY+...+/*
I'm sorry that I didnot check the typo in this attack
Anyway, you can easily understand the isolated '/*' is necessary.
Protector rewrites the request likt this:
?id=1'+UNION+SELECT+password+FROM+xoops_users+ORDER+BY+...+/**/
You can also understand this cause SQL error, and attackers can't get the hashed password from users table.
*/
Quote:
1) Is there any way of making a post like that without getting the */ added at the end?
If XOOPS_DB_PREFIX is not known by attackers, there are few threat by SQL injection attack.
I think the better argorithm like POST checking will be ok if some "invalid string as SQL" found before the first of '/*'
Quote:
2) Is that check really necessary? How could someone exploit that?
Isolated '/*' makes easier SQL Injection.
eg)
the vulnerability:
"SELECT title FROM ".$xoopsDB->prefix("foo")." WHERE storyid='{$_GET['id']}' AND status>0" ;
Attacker can do:
?id=1'+UNION+SELECT+password+FROM+xoops_users+ORDER+BY+...+/*
I'm sorry that I didnot check the typo in this attack
Anyway, you can easily understand the isolated '/*' is necessary.
Protector rewrites the request likt this:
?id=1'+UNION+SELECT+password+FROM+xoops_users+ORDER+BY+...+/**/
You can also understand this cause SQL error, and attackers can't get the hashed password from users table.
*/
Votes:0
Average:0.00
Login