Description:
------------
hello ,
seems to be a bit of a strange thing with this get_magic_quotes_gpc() function ! found this strange behaviour with PHP because of the widley used advanced guestbook 2.3.1 at http://proxy2.de ! there's an exloit available on the internet =>

http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2004-04/0290.html

anyway .. while testing the exploit on my runing online server with Suse linux 8.1 and PHP 4.2.2 the exploit worked fine at the first time. but today, the day after, it doesn't work at all and get_magic_quotes_gpc() function seems to work fine ! but it does NOT all the time !! really strange behaviour !!

also tested this exploit on my development server with suse linux 9.0 and PHP 4.3.3 and it doesn't work ... or probably sometimes does ... still don't know exactly as PHP doesn't seem to do the same thing all the time !! really strange !

then went on the internet and looked for all these guestbooks at google.com => http://www.google.com/search?q=advanced+guestbook+proxy2+HTML+code+is+disabled&ie=UTF-8&hl=en&btnG=Google+Search&meta=

on some guestbooks the exploit works and on others not ! they all use different PHP versions .... starting from 4.2.2 up to 4.3.7 and have to say the exploit worked perfectly also with version 4.3.7 !!

but it does ONLY sometimes ... not all the time !!!

also posted a small website on the internet with some more detailed info on this very strange behaviour of the get_magic_quotes_gpc() function =>

http://www.beckspaced.com/gb_fix/index.php

well ... hopefully someone can tell a bit more about this strange behaviour of get_magic_quotes_gpc() as it is used quite often to addslash strings before sending it to a query to the database ... SQL injection !!!

all the best
becki

a bit of code below =>

Reproduce code:
---------------
function checkPass($username,$password) {
        //global $username, $password;
    	$query = "SELECT ID FROM ".$this->table['auth']." WHERE username='$username' and password=PASSWORD('$password')";
    	$this->query($query);
        $this->fetch_array($this->result);
        return ($this->record) ? $this->record["ID"] : false;
    }

function checkSessionID() {
        global $username, $password, $session, $uid;
        if (isset($session) && isset($uid)) {
            return ($this->isValidSession($session,$uid)) ? array("session" => "$session", "uid" => "$uid") : false;
        } elseif (isset($username) && isset($password)) {
            if (!get_magic_quotes_gpc()) {
                $username = addslashes($username);
                $password = addslashes($password);
            }
            $ID = $this->checkPass($username,$password);
            if ($ID) {
                $session = $this->generateNewSessionID($ID);
                return array("session" => "$session", "uid" => "$ID");
            } else {
                return false;
            }

        } else {
            return false;
        }

    }

Expected result:
----------------
well ... i expect to do the addslashes on the $username and $password if the get_magic_quotes_gpc() function isn't turned ON in the php.ini ! if it's turned on already then the addslashes are done automatically !!

Actual result:
--------------
the actual result is weird !! sometimes it does the addslashes ... and sometimes it doesn't ;-(