NYCPHP Meetup

NYPHP.org

[nycphp-talk] Injection Attack, any ideas?

Jake McGraw jmcgraw1 at gmail.com
Tue Nov 6 23:52:11 EST 2007 

Without divulging who your client is, would it be possible to remove
any references to their site/company from the offending code and post
it here? Without access to your registration.php script I think we'll
all just be wasting our time with wild guesses.

- jake

On Nov 6, 2007 11:31 PM,  <mikesz at qualityadvantages.com> wrote:
> Hello All,
>
> I have a client site that has a registration form with a captcha image
> that is suppose to prevent spammers from dumping their junk. The form
> has two text input windows and a fair amount of personal information
> is collected as well.
>
> I just noticed that this client has been getting regular injection
> attacks that have been failing because it is a comment spammer and the
> INSERT query is failing on a duplicate key error. For privacy and
> security reasons I can not post the error message but it cites the php
> file name and the injection looks like it is being added to one of the
> text boxes.
>
> The form has "Required" fields as well as a check function that is
> suppose to check for valid input. All of those fields are empty in the
> query that failed.
>
> The question is, actually multiple related questions:
>
> First how did that bad guy "execute" the query without hitting the
> submit button or entering the captcha code and how did it bypass the
> check function. It seems like the query was sent directly to the
> database though the registration.php program but I have no clue how
> that could have happened. I need to plug this hole but don't have any
> idea where to start looking for it.
>
> I have tried running the query like registration.php?query but that
> didn't work.
>
> Any ideas about how I can reproduce this problem would greatly
> appreciate and any suggestions about how to fix it would be even more
> greatly appreciated.            8-)
>
> Thanks for your attention.
>
>
> --
> Best regards,
>  mikesz                          mailto:mikesz at qualityadvantages.com
>
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>

More information about the talk mailing list