Quote:
Peekay wrote:
The whole issue of 'vulnerabilities' is a mystery to me. The MyAds module was recently identified as the point of entry for an exploit, but what that means exactly I haven't a clue.
I assume most problems arise when scripts are entered into text boxes and run on the server?
Yes, that's the basic issue. Stuff gets entered into the textboxes in a form and it is carefully crafted to break the module. Since the source code for all modules is readily available, this does assist attackers in figuring out how to break into sites.
Adding text to the URL as a parameter is another way some attacks work. That is why all modules must be very careful in how they handle values that are passed in from the URL (from $_GET).
The other thing to be careful of is how data is passed into the database. For example:
Imagine code like this which handles data submitted through a textbox:
$user_submission = $_POST['textbox'];
updateDatabase("UPDATE datatable SET value=$user_submission;");
Okay, that's "pseudo code", it would not actually work in a live system, but it gets the point across.
The point is, it's not very good code because imagine the user typed this into the textbox:
any_text_attacker_wants; DELETE usertable;
So when you fill that in to the query that the code above makes on the database, you get this:
UPDATE datatable SET value=any_text_attacker_wants; DELETE usertable
So now your query is going to contain this little extra bit of code....that deletes your usertable!
Oops.
So a best practice is to always encapsulate your values in quotes, and to always do something to prevent attackers from escaping those quotes with the text they submit. ie:
$user_submission = $_POST['textbox'];
$user_submission = mysql_real_escape_string($user_submission);
updateDatabase("UPDATE datatable SET value="$user_submission";");
That way the user submitted text is passed to the database inside " ", and all quotes in the submitted text will have the right escape characters added to them so they aren't treated as part of the syntax of the query.
--Julian