Re: Top Ten PHP Security Hole

From: R. Rajesh Jeba Anbiah (ng4rrjanbiah_at_rediffmail.com)
Date: 02/09/04

  • Next message: yann bob: "Re: Webwired Solutions" 
    Date: 8 Feb 2004 22:01:25 -0800

    "Chung Leong" <chernyshevsky@hotmail.com> wrote in message news:<idSdncayJvPJnL7d4p2dnA@comcast.com>...
    > Thinking that POST is somehow more secured than GET deserves an honorable
    > mention. Once I was called into the office of this guy who claimed he'd
    > discovered a huge vulnerability: He could log in by adding
    > ?username=jdoe&password=qwerty to the URL! He was still fiddling with HTTP
    > authenticating when he lost his job.

    +----+---------+-------+
    | user_settings |
    +----+---------+-------+
    |pKey|for.Key | data |
    +----+---------+-------+
    | id | user_id | xyz |
    +----+---------+-------+
    | 1 | 1 | abc |
    | 2 | 1 | abcd |
    | 3 | 1 | abcde |
    | 4 | 2 | qwe |
    | 5 | 2 | qwer |
    +----+---------+-------+

      Usually, in a situation like above, we'll usually list the record
    for that particular user with the query like:
    "SELECT * FROM user_settings WHERE user_id=".$_SESSION['user_id']

      And, while displaying we will give link to delete each record like
    deleteSettings.php?id=1... where "id" is the primary key of the table.

      In most of the scripts I have seen, programmers just delete the
    record without checking if that record actually belongs to that user
    or not.
    e.g. "DELETE FROM user_settings WHERE id=".$_GET['id']

      For example, in the above case, only 2 records (4&5) are belong to
    user2. And if the user2, manipulate the url like
    deleteSettings.php?id=1, he can even delete the records that belong to
    user1.

      I avoid this issue with the query like (so that he can delete his
    own record alone---even if he manipulates the url):

     "DELETE FROM user_settings WHERE id=".$_GET['id']." AND
    user_id=".$_SESSION['user_id']

      I don't know, if anyone already documented such trick; but yet I
    haven't seen such a code/trick. 

    -- 
 "Success = 10% sweat + 90% tears"
If you live in USA, please support John Edwards.
Email: rrjanbiah-at-Y!com
  • Next message: yann bob: "Re: Webwired Solutions"

    Relevant Pages

    • Re: LDAP Query Search Help in AD 2003
      ... Should be a fairly expensive query though. ... > I am able to get it to list all members not in one group, ... > belong to group A or group B. You see, they need to belong to one or the ... >>> Exchange Mailbox Recipients who do not belong to either Distribution ...
      (microsoft.public.windows.server.active_directory)
    • Re: Hundreds of columns, index on all of those.
      ... Scalability would not be so good, if there would be separate tables ... And the performance problem (related to the query) might still exist ... First fetch a set of Item IDs. ... Different Items can belong to one group. ...
      (comp.databases)
    • Re: Running a Query to Obtain One of Multiple Values in a Field
      ... organize the contacts into correct groups for an email list. ... The problem I am having is that when I try to sort or query to pull up ... they belong to another one as well. ...
      (microsoft.public.access.queries)
    • Query needs tables switched
      ... More than one person can belong to one organization. ... When I make a query it always ... FROM tblLUBillTo INNER JOIN tblLUBillToContact ON ...
      (microsoft.public.access.queries)
    • Re: How open other app from within code?
      ... There is nothing in the .NET framework that lets you manipulate forms ... that do not belong to your application. ... You will need to invoke some ... lower level libraries, do window hooks, etc. ...
      (microsoft.public.dotnet.languages.vb)