Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:33340 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 38840 invoked by uid 1010); 19 Nov 2007 23:03:12 -0000 Delivered-To: ezmlm-scan-internals@lists.php.net Delivered-To: ezmlm-internals@lists.php.net Received: (qmail 38825 invoked from network); 19 Nov 2007 23:03:11 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 19 Nov 2007 23:03:11 -0000 Authentication-Results: pb1.pair.com header.from=markus@fischer.name; sender-id=unknown Authentication-Results: pb1.pair.com smtp.mail=markus@fischer.name; spf=permerror; sender-id=unknown Received-SPF: error (pb1.pair.com: domain fischer.name from 213.46.255.22 cause and error) X-PHP-List-Original-Sender: markus@fischer.name X-Host-Fingerprint: 213.46.255.22 viefep18-int.chello.at Solaris 10 (beta) Received: from [213.46.255.22] ([213.46.255.22:39180] helo=viefep16-int.chello.at) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 17/ED-50425-F2F02474 for ; Mon, 19 Nov 2007 17:33:22 -0500 Received: from genuine.home ([84.113.220.59]) by viefep16-int.chello.at (InterMail vM.7.08.02.00 201-2186-121-20061213) with ESMTP id <20071119223315.IODM5724.viefep16-int.chello.at@genuine.home>; Mon, 19 Nov 2007 23:33:15 +0100 Received: from chello084113220059.17.14.vie.surfer.at ([84.113.220.59] helo=[192.168.1.51]) by genuine.home with esmtpa (Exim 4.50) id 1IuEwX-0004J0-8v; Mon, 19 Nov 2007 23:18:16 +0100 Message-ID: <47420F2C.10901@fischer.name> Date: Mon, 19 Nov 2007 23:33:16 +0100 User-Agent: Thunderbird 2.0.0.9 (Windows/20071031) MIME-Version: 1.0 To: Ezequiel Gutesman CC: PHP internals References: <47401946.2050406@sektioneins.de> <4740B136.2080207@hardened-php.net> <4741F114.5000308@coresecurity.com> In-Reply-To: <4741F114.5000308@coresecurity.com> X-Enigmail-Version: 0.95.5 OpenPGP: id=C2272BD0; url=http://markus.fischer.name/my_public_key.txt Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Spam-Score: -29 X-Spam-Level: --- X-Spam-Report: Spam detection software, running on the system "genuine.home", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Ezequiel Gutesman wrote: > Going back to Stefan's example: > >> $sql['id'] = mysql_real_escape_string($_GET['id']); >> $query = "SELECT * FROM table WHERE id=".$sql['id'] > > It is true that GRASP won't raise an alarm unless $sql['id'] has > non-numeric characters. This was a design decision since our description > of an attack does not include this example. After analyzing this > example, we cannot see how an attacker could perform a SQL-Injection > attack only with numeric characters; that's why GRASP will not detect > this as an attack. [...] Content analysis details: (-3.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -3.3 ALL_TRUSTED Did not pass through any untrusted hosts -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.0006] 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address [84.113.220.59 listed in dnsbl.sorbs.net] 0.9 AWL AWL: From: address is in the auto white-list Subject: Re: [PHP-DEV] Tainted Mode Decision From: markus@fischer.name (Markus Fischer) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, Ezequiel Gutesman wrote: > Going back to Stefan's example: > >> $sql['id'] = mysql_real_escape_string($_GET['id']); >> $query = "SELECT * FROM table WHERE id=".$sql['id'] > > It is true that GRASP won't raise an alarm unless $sql['id'] has > non-numeric characters. This was a design decision since our description > of an attack does not include this example. After analyzing this > example, we cannot see how an attacker could perform a SQL-Injection > attack only with numeric characters; that's why GRASP will not detect > this as an attack. Unless I'm missing something, in this example I don't see anything forcing 'id' to be actually numerical. Unless forced to be numerical, see http://webappsec.org/projects/articles/091007.shtml#p4 for an example how to exploit it; even with mysql_real_escape_string(). - - Markus -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHQg8s1nS0RcInK9ARAhPRAJ9qtqG1bMMCoVfTM3A3j2pidt1KVgCeI2Lv pYcNBRegKEvqjArXkWJmtco= =vQdC -----END PGP SIGNATURE-----