Interesting PHP Oddity - help please! :)

Discussion in 'Linux VPS/Dedicated - cPanel' started by Bryan, Sep 12, 2007.

  1. Bryan

    Bryan Very Happy KH VPS User

    Hey guys...

    I'm honestly at a complete loss as to what is happening with one of my PHP scripts. It was working before I moved here. But since I don't personally use the script a whole lot, I don't know when it broke. Nothing changed in the coding, so I'm kinda at a loss as to what went wrong.

    I can't send you guys to the actual page, as it's behind a password protected member's site for a client of mine.

    To give an overview...that specific page gives a membership roster, with names, phone numbers, addresses, etc., and by clicking on the headings, "Name, Address, Phone" etc., the columns are supposed to be sorted.

    The sql call I'm using is: ORDER BY '$sort' ASC" where $sort is determined in the script by what you click on.

    So for instance, if somebody clicked address, it would $sort would = address.

    Like I said, it worked fine in the past. Is there anything specific in PHP that would cause this to stop functioning? I'm using 4.4.4 right now on the server.

    Thanks in advance!!
     
  2. khiltd

    khiltd New Member

    Kinda hard to diagnose without any code whatsoever. Are the sort parameters being passed in a query string, and if so, is the rest of the script assuming that register_globals is enabled?
     
  3. magic

    magic New Member

    aside from that (since there is no code to check here), if that sql is correct, that is a major XSS hazard. user could set $sort to a payload value and inject an unauthorized query into the db. assuming $sort is a public variable, there should be a private variable which is matched to it to produce the query member.
     
  4. Jleagle

    Jleagle New Member

    Hi, do you think you could explain what you mean by "there should be a private variable which is matched to it to produce the query member". I feel like i could be making this mistake on a website of mine.
     
  5. khiltd

    khiltd New Member

    Rather than simply taking

    Code:
    $_GET['sort_order']
    you would validate the input against a list of acceptable possibilities such as

    Code:
    switch ( $_GET['sort_order'] )
    {
    	case 'ASC':
    		
    		$sort_order = 'ASC';
    	
    		break;
    		
    	case 'DSC':
    	
    		$sort_order = 'DSC';
    		
    		break;
    		
    	default:
    	
    		die('Sorry, Charlie...');
    		
    		break;
    }
    That way if I try to pull something like

    Code:
    http://www.yourdomain.com/yourscript.php?sort_order=do%20something%20evil
    that input will not actually become a part of the subsequent database query.
     
  6. Jleagle

    Jleagle New Member

    Thanks, very helpful to me.
     
  7. Bryan

    Bryan Very Happy KH VPS User

    Khiltd, you're right. I actually took the script over and modified it from somebody else's...hadn't really had a chance or desire to change it yet.

    But even so, it's a password protected script that is used by about 75 people who would have no idea how or why to insert evil code. ha ha!

    There really isn't any code to show. The only piece of code that actually does something is:

    "SELECT * FROM members ORDER BY '$sort' ASC";

    And $sort is passed into the script by clicking on the column heading. I.e. it might be address, first_name, last_name, etc. etc.

    It actually worked at some point. :)

    Thanks again guys!
     
  8. ppc

    ppc Moderator

    Bryan,

    Did you take khiltd re: register globals? That could be the culprit.
     
  9. khiltd

    khiltd New Member

    Passed how? HTTP is a stateless protocol.
     
  10. kgh

    kgh New Member

    Have you tried echo'ing the SQL statement as well, just to make sure that it is appearing as expected?
     
  11. Bryan

    Bryan Very Happy KH VPS User

    Will try those things and get back in a bit. Thanks guys.
     

Share This Page