NYCPHP Meetup

NYPHP.org

[nycphp-talk] Injection Attack, any ideas?

mikesz at qualityadvantages.com mikesz at qualityadvantages.com
Wed Nov 7 00:12:55 EST 2007 

Hello Jake,

Wednesday, November 7, 2007, 12:52:11 PM, you wrote:

> Without divulging who your client is, would it be possible to remove
> any references to their site/company from the offending code and post
> it here? Without access to your registration.php script I think we'll
> all just be wasting our time with wild guesses.

> - jake

> On Nov 6, 2007 11:31 PM,  <mikesz at qualityadvantages.com> wrote:
>> Hello All,
>>
>> I have a client site that has a registration form with a captcha image
>> that is suppose to prevent spammers from dumping their junk. The form
>> has two text input windows and a fair amount of personal information
>> is collected as well.
>>
>> I just noticed that this client has been getting regular injection
>> attacks that have been failing because it is a comment spammer and the
>> INSERT query is failing on a duplicate key error. For privacy and
>> security reasons I can not post the error message but it cites the php
>> file name and the injection looks like it is being added to one of the
>> text boxes.
>>
>> The form has "Required" fields as well as a check function that is
>> suppose to check for valid input. All of those fields are empty in the
>> query that failed.
>>
>> The question is, actually multiple related questions:
>>
>> First how did that bad guy "execute" the query without hitting the
>> submit button or entering the captcha code and how did it bypass the
>> check function. It seems like the query was sent directly to the
>> database though the registration.php program but I have no clue how
>> that could have happened. I need to plug this hole but don't have any
>> idea where to start looking for it.
>>
>> I have tried running the query like registration.php?query but that
>> didn't work.
>>
>> Any ideas about how I can reproduce this problem would greatly
>> appreciate and any suggestions about how to fix it would be even more
>> greatly appreciated.            8-)
>>
>> Thanks for your attention.
>>
>>
>> --
>> Best regards,
>>  mikesz                          mailto:mikesz at qualityadvantages.com
>>
>> _______________________________________________
>> New York PHP Community Talk Mailing List
>> http://lists.nyphp.org/mailman/listinfo/talk
>>
>> NYPHPCon 2006 Presentations Online
>> http://www.nyphpcon.com
>>
>> Show Your Participation in New York PHP
>> http://www.nyphp.org/show_participation.php
>>
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk

> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com

> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php

> __________ NOD32 2642 (20071106) Information __________

> This message was checked by NOD32 antivirus system.
> http://www.eset.com

Actually, the script code is not problem but its over 500 lines of
code so I am not sure it is appropriate to post it here?


-- 
Best regards,
 mikesz                            mailto:mikesz at qualityadvantages.com

More information about the talk mailing list