ruqueue-devel
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Ruqueue-devel] XSS attacks and SQL injection


From: David F. Skoll
Subject: [Ruqueue-devel] XSS attacks and SQL injection
Date: Fri, 27 Feb 2009 10:12:44 -0500
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.16) Gecko/20080707 Thunderbird/2.0.0.16 Mnenhy/0.7.5.0

Hi,

I heard of ruQueue via a Slashdot article, so I downloaded it.  I took
a quick look at the code and noticed many places where XSS attacks and
SQL injection can happen.

ru-queue-1.2.2.tar.gz is dated 2005, so maybe it's no longer maintained?

Here's one example, from web-interface/appointment.php:

      $id = $_GET['id'];
      $output = Head("Appointment #$id", $username, $rate) [...]

Here, we see that $id is not protected with htmlspecialchars() on output,
opening up an XSS attack.

Later on, $id is used in AppointmentInfo like this:

     SELECT appointment_id Appointment_Id, ticket_id Id, ... much deleted ...
     WHERE appointment_id=$id

As you see, $id is used unsanitized, opening up an SQL injection attack.

This unsafe handling of user-supplied data is ubiquitous. :-(  Fixing it
will be hard, but I think it should be done.  You should look into
one of the DBI-like packages for PHP that provides safe SQL generation.

Regards,

David.




reply via email to

[Prev in Thread] Current Thread [Next in Thread]