| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 10 Dec 2005 14:36:09 -0500 (EST) From: "Steven M. Christey" <coley@...re.org> To: bugtraq@...urityfocus.com Cc: trueend5@...oo.com, grudge@...plemachines.org Subject: Re: Re: [KAPDA::#16] - SMF SQL Injection >substr(strtolower($_REQUEST['start']), 0, 1) > >So, the string is set to lower case, and then only the FIRST letter is >used within the query. How can anyone exploit the database with a one >character insertion? Of course this is within single quotes as well, >so it cannot even be a command. This sounds like yet another example of a researcher diagnostic error, which I warned about a couple months ago: A common researcher diagnosis error: misreading error messages http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2005-10/0040.html I would bet that the software generated an error based on this portion of the SQL/PHP code: WHERE LOWER(SUBSTRING(realName, 1, 1)) < '" . substr(strtolower($_REQUEST['start']), 0, 1) . "' The original demonstration value of "start" is: '[SQL] and since the first character is "'", PHP would generate something like: WHERE LOWER(SUBSTRING(realName, 1, 1)) < ''' which would then generate a syntax error, which could then be mis-diagnosed as SQL injection. I bet that many so-called "SQL injection" issues are of this form of "limited SQL syntax manipulation." It is still an error message information leak, which some people don't think it security relevant. But clearly it is much less severe than SQL injection. - Steve
Powered by blists - more mailing lists