[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Ruqueue-devel] XSS attacks and SQL injection
From: |
David F. Skoll |
Subject: |
[Ruqueue-devel] XSS attacks and SQL injection |
Date: |
Fri, 27 Feb 2009 10:12:44 -0500 |
User-agent: |
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Gecko/20080707 Thunderbird/2.0.0.16 Mnenhy/0.7.5.0 |
Hi,
I heard of ruQueue via a Slashdot article, so I downloaded it. I took
a quick look at the code and noticed many places where XSS attacks and
SQL injection can happen.
ru-queue-1.2.2.tar.gz is dated 2005, so maybe it's no longer maintained?
Here's one example, from web-interface/appointment.php:
$id = $_GET['id'];
$output = Head("Appointment #$id", $username, $rate) [...]
Here, we see that $id is not protected with htmlspecialchars() on output,
opening up an XSS attack.
Later on, $id is used in AppointmentInfo like this:
SELECT appointment_id Appointment_Id, ticket_id Id, ... much deleted ...
WHERE appointment_id=$id
As you see, $id is used unsanitized, opening up an SQL injection attack.
This unsafe handling of user-supplied data is ubiquitous. :-( Fixing it
will be hard, but I think it should be done. You should look into
one of the DBI-like packages for PHP that provides safe SQL generation.
Regards,
David.
- [Ruqueue-devel] XSS attacks and SQL injection,
David F. Skoll <=