NYCPHP Meetup

NYPHP.org

[nycphp-talk] Trimming Posts WAS: Injection Attack, any ideas?

Hans Zaunere lists at zaunere.com
Wed Nov 7 07:50:49 EST 2007 

All,

Please remember to trim your posts and subjects (and don't top-post like I
just did :)

Thanks,

---
Hans Zaunere / President / New York PHP
    www.nyphp.org  /  www.nyphp.com



mikesz at qualityadvantages.com wrote on Wednesday, November 07, 2007
12:40 AM: 
> Hello Jake,
> 
> Wednesday, November 7, 2007, 1:17:14 PM, you wrote:
> 
> > Try:
> 
> > http://cl1p.net/
> 
> > I'd be willing to take a look after you post it.
> 
> > - jake
> 
> > On Nov 7, 2007 12:12 AM,  <mikesz at qualityadvantages.com> wrote:
> > > Hello Jake,
> > > 
> > > 
> > > Wednesday, November 7, 2007, 12:52:11 PM, you wrote:
> > > 
> > > > Without divulging who your client is, would it be possible to
> > > > remove any references to their site/company from the offending
> > > > code and post it here? Without access to your registration.php
> > > > script I think we'll all just be wasting our time with wild
> > > > guesses. 
> > > 
> > > > - jake
> > > 
> > > > On Nov 6, 2007 11:31 PM,  <mikesz at qualityadvantages.com> wrote:
> > > > > Hello All,
> > > > > 
> > > > > I have a client site that has a registration form with a
> > > > > captcha image that is suppose to prevent spammers from
> > > > > dumping their junk. The form has two text input windows and a
> > > > > fair amount of personal information is collected as well. 
> > > > > 
> > > > > I just noticed that this client has been getting regular
> > > > > injection attacks that have been failing because it is a
> > > > > comment spammer and the INSERT query is failing on a
> > > > > duplicate key error. For privacy and security reasons I can
> > > > > not post the error message but it cites the php file name and
> > > > > the injection looks like it is being added to one of the text
> > > > > boxes.  
> > > > > 
> > > > > The form has "Required" fields as well as a check function
> > > > > that is suppose to check for valid input. All of those fields
> > > > > are empty in the query that failed. 
> > > > > 
> > > > > The question is, actually multiple related questions:
> > > > > 
> > > > > First how did that bad guy "execute" the query without
> > > > > hitting the submit button or entering the captcha code and
> > > > > how did it bypass the check function. It seems like the query
> > > > > was sent directly to the database though the registration.php
> > > > > program but I have no clue how that could have happened. I
> > > > > need to plug this hole but don't have any idea where to start
> > > > > looking for it. 
> > > > > 
> > > > > I have tried running the query like registration.php?query
> > > > > but that didn't work. 
> > > > > 
> > > > > Any ideas about how I can reproduce this problem would greatly
> > > > > appreciate and any suggestions about how to fix it would be
> > > > > even more greatly appreciated.            8-)
> > > > > 
> > > > > Thanks for your attention.
> > > > > 
> > > > > 
> > > > > --
> > > > > Best regards,
> > > > >  mikesz                         
> > > > > mailto:mikesz at qualityadvantages.com 
> > > > > 
> > > > > _______________________________________________
> > > > > New York PHP Community Talk Mailing List
> > > > > http://lists.nyphp.org/mailman/listinfo/talk
> > > > > 
> > > > > NYPHPCon 2006 Presentations Online
> > > > > http://www.nyphpcon.com
> > > > > 
> > > > > Show Your Participation in New York PHP
> > > > > http://www.nyphp.org/show_participation.php
> > > > > 
> > > > _______________________________________________
> > > > New York PHP Community Talk Mailing List
> > > > http://lists.nyphp.org/mailman/listinfo/talk
> > > 
> > > > NYPHPCon 2006 Presentations Online
> > > > http://www.nyphpcon.com
> > > 
> > > > Show Your Participation in New York PHP
> > > > http://www.nyphp.org/show_participation.php
> > > 
> > > > __________ NOD32 2642 (20071106) Information __________
> > > 
> > > > This message was checked by NOD32 antivirus system.
> > > > http://www.eset.com
> > > 
> > > Actually, the script code is not problem but its over 500 lines of
> > > code so I am not sure it is appropriate to post it here?
> > > 
> > > 
> > > --
> > > 
> > > Best regards,
> > >  mikesz                           
> > > mailto:mikesz at qualityadvantages.com 
> > > 
> > > _______________________________________________
> > > New York PHP Community Talk Mailing List
> > > http://lists.nyphp.org/mailman/listinfo/talk
> > > 
> > > NYPHPCon 2006 Presentations Online
> > > http://www.nyphpcon.com
> > > 
> > > Show Your Participation in New York PHP
> > > http://www.nyphp.org/show_participation.php
> > > 
> > _______________________________________________
> > New York PHP Community Talk Mailing List
> > http://lists.nyphp.org/mailman/listinfo/talk
> 
> > NYPHPCon 2006 Presentations Online
> > http://www.nyphpcon.com
> 
> > Show Your Participation in New York PHP
> > http://www.nyphp.org/show_participation.php
> 
> > __________ NOD32 2642 (20071106) Information __________
> 
> > This message was checked by NOD32 antivirus system.
> > http://www.eset.com
> 
> 
> Here is the URL : http://cl1p.net/myexploitedcode/
> 
> thanks, mikesz
> 
> --
> Best regards,
>  mikesz                            mailto:mikesz at qualityadvantages.com
> 
> _______________________________________________
> New York PHP Community Talk Mailing List
> http://lists.nyphp.org/mailman/listinfo/talk
> 
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
> 
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php

More information about the talk mailing list