php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #28906 bug in get_magic_quotes_gpc() function ??
Submitted: 2004-06-24 02:30 UTC Modified: 2004-12-15 04:13 UTC
Votes:6
Avg. Score:4.5 ± 0.8
Reproduced:4 of 5 (80.0%)
Same Version:4 (100.0%)
Same OS:1 (25.0%)
From: becki at beckspaced dot com Assigned:
Status: Closed Package: Unknown/Other Function
PHP Version: Irrelevant OS: suse linux
Private report: No CVE-ID: None
 [2004-06-24 02:30 UTC] becki at beckspaced dot com
Description:
------------
hello ,
seems to be a bit of a strange thing with this get_magic_quotes_gpc() function ! found this strange behaviour with PHP because of the widley used advanced guestbook 2.3.1 at http://proxy2.de ! there's an exloit available on the internet =>

http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2004-04/0290.html

anyway .. while testing the exploit on my runing online server with Suse linux 8.1 and PHP 4.2.2 the exploit worked fine at the first time. but today, the day after, it doesn't work at all and get_magic_quotes_gpc() function seems to work fine ! but it does NOT all the time !! really strange behaviour !!

also tested this exploit on my development server with suse linux 9.0 and PHP 4.3.3 and it doesn't work ... or probably sometimes does ... still don't know exactly as PHP doesn't seem to do the same thing all the time !! really strange !

then went on the internet and looked for all these guestbooks at google.com => http://www.google.com/search?q=advanced+guestbook+proxy2+HTML+code+is+disabled&ie=UTF-8&hl=en&btnG=Google+Search&meta=

on some guestbooks the exploit works and on others not ! they all use different PHP versions .... starting from 4.2.2 up to 4.3.7 and have to say the exploit worked perfectly also with version 4.3.7 !!

but it does ONLY sometimes ... not all the time !!!

also posted a small website on the internet with some more detailed info on this very strange behaviour of the get_magic_quotes_gpc() function =>

http://www.beckspaced.com/gb_fix/index.php

well ... hopefully someone can tell a bit more about this strange behaviour of get_magic_quotes_gpc() as it is used quite often to addslash strings before sending it to a query to the database ... SQL injection !!!

all the best
becki

a bit of code below =>

Reproduce code:
---------------
function checkPass($username,$password) {
        //global $username, $password;
    	$query = "SELECT ID FROM ".$this->table['auth']." WHERE username='$username' and password=PASSWORD('$password')";
    	$this->query($query);
        $this->fetch_array($this->result);
        return ($this->record) ? $this->record["ID"] : false;
    }

function checkSessionID() {
        global $username, $password, $session, $uid;
        if (isset($session) && isset($uid)) {
            return ($this->isValidSession($session,$uid)) ? array("session" => "$session", "uid" => "$uid") : false;
        } elseif (isset($username) && isset($password)) {
            if (!get_magic_quotes_gpc()) {
                $username = addslashes($username);
                $password = addslashes($password);
            }
            $ID = $this->checkPass($username,$password);
            if ($ID) {
                $session = $this->generateNewSessionID($ID);
                return array("session" => "$session", "uid" => "$ID");
            } else {
                return false;
            }

        } else {
            return false;
        }

    }

Expected result:
----------------
well ... i expect to do the addslashes on the $username and $password if the get_magic_quotes_gpc() function isn't turned ON in the php.ini ! if it's turned on already then the addslashes are done automatically !!

Actual result:
--------------
the actual result is weird !! sometimes it does the addslashes ... and sometimes it doesn't ;-(

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-12-15 04:13 UTC] sniper@php.net
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue Mar 19 04:01:31 2024 UTC