[nycphp-talk] Not-so-subtle attack on PHP
Elliotte Harold
elharo at metalab.unc.edu
Fri Sep 28 04:13:53 EDT 2007
Kenneth Downs wrote:
> In SQL Injection, the user accesses some table they are not supposed to
> access. This can only be done if the application connects to the
> database as some generic user, where that generic user can do anything
> it wants.
Not always. Sometimes it's about accessing a row they're not supposed to
access, or adding a WHERE clause they're not supposed to run, or a
fucntion they're not supposed to be able to call. Table level security
is not enough. For example, you may well have data from multiple users
ion one table (you usually will in fact) but don't want Bob to be able
to see Alice's data. If Bob can change "WHERE user = 'Bob'" to "WHERE
user = 'Bob' or user = 'Alice'" your table level security has just been
broken. :-(
There are also attacks that access columns the user isn't supposed to
see. A credit card company may allow users to see their purchase
history, for example, but not see the mercant ID numbers associated with
each purchase.
Your scenario assumes users can see entire tables, and more often than
not for random web surfers, that is not the security model we want.
--
Elliotte Rusty Harold elharo at metalab.unc.edu
Java I/O 2nd Edition Just Published!
http://www.cafeaulait.org/books/javaio2/
http://www.amazon.com/exec/obidos/ISBN=0596527500/ref=nosim/cafeaulaitA/
More information about the talk
mailing list