PHP :: Bug #20124 :: Remote Format String Bug

Bug #20124	Remote Format String Bug
Submitted:	2002-10-27 13:04 UTC	Modified:	2002-10-27 18:45 UTC
From:	mark at ngssoftware dot com	Assigned:
Status:	Not a bug	Package:	IIS related
PHP Version:	4.2.3	OS:	Win2k
Private report:	No	CVE-ID:	None

View Developer Edit

[2002-10-27 13:04 UTC] mark at ngssoftware dot com

During a Pentest, I was searching for sql injection, and noticed that PHP returned the following error

http://www.victim.com/cgi-bin/ecust.cfg/php.exe/enduser/std_adp.php?p_admin=1&p_faqid=510'

Internal Error

--------------------------------------------------------------------------------
File: odbc2.c 
Line: 211 
In Fcn.: sql_prepare 
Called Fcn.: SQLPrepare() returned -1 
Description: 42000: [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the character string ')'.
42000: [Microsoft][ODBC SQL Server Driver][SQL Server]Line 7: Incorrect syntax near ')'.
42000: [Microsoft][ODBC SQL Server Driver][SQL Server]Statement(s) could not be prepared.
SQL STMT: select f.faq_id, f.faq_group_id, f.lang_id, f.title, f.description, f.solution, f.created, f.updated, l1.label, l2.label from faqs f left outer join labels l1 on (f.access_id = l1.label_id) and (11 = l1.tbl) and (f.lang_id = l1.lang_id) left outer join labels l2 on (f.status = l2.label_id) and (19 = l2.tbl) and (f.lang_id = l2.lang_id) ,statuses s where (f.status = s.code) and (s.type_id = 4) and (f.access_id in (1, 2)) and (f.faq_id = 510')
 
Indicating SQL injection.  By entering 

http://www.victim.com/cgi-bin/ecust.cfg/php.exe/enduser/std_adp.php?p_admin=1&p_faqid=510'A

You will notice in that the returned error message shows the 'A

Internal Error

--------------------------------------------------------------------------------
File: odbc2.c 
Line: 211 
In Fcn.: sql_prepare 
Called Fcn.: SQLPrepare() returned -1 
Description: 42000: [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the character string 'A)'.
42000: [Microsoft][ODBC SQL Server Driver][SQL Server]Line 7: Incorrect syntax near 'A)'.
42000: [Microsoft][ODBC SQL Server Driver][SQL Server]Statement(s) could not be prepared.
SQL STMT: select f.faq_id, f.faq_group_id, f.lang_id, f.title, f.description, f.solution, f.created, f.updated, l1.label, l2.label from faqs f left outer join labels l1 on (f.access_id = l1.label_id) and (11 = l1.tbl) and (f.lang_id = l1.lang_id) left outer join labels l2 on (f.status = l2.label_id) and (19 = l2.tbl) and (f.lang_id = l2.lang_id) ,statuses s where (f.status = s.code) and (s.type_id = 4) and (f.access_id in (1, 2)) and (f.faq_id = 510'A)
 
To test for the poosibility of a Format String I entered the following

http://victim.com/cgi-bin/ecust.cfg/php.exe/enduser/std_adp.php?p_admin=1&p_faqid=510'%x%x%x%x

You will note from the Error logs that a format string bug is present in Four different fields

Internal Error

--------------------------------------------------------------------------------
File: odbc2.c 
Line: 211 
In Fcn.: sql_prepare 
Called Fcn.: SQLPrepare() returned -1 
Description: 42000: [Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the character string '51275075127680)'.
42000: [Microsoft][ODBC SQL Server Driver][SQL Server]Line 7: Incorrect syntax near '10081b6e0ffffffffdf1eb0)'.
42000: [Microsoft][ODBC SQL Server Driver][SQL Server]Statement(s) could not be prepared.
SQL STMT: select f.faq_id, f.faq_group_id, f.lang_id, f.title, f.description, f.solution, f.created, f.updated, l1.label, l2.label from faqs f left outer join labels l1 on (f.access_id = l1.label_id) and (11 = l1.tbl) and (f.lang_id = l1.lang_id) left outer join labels l2 on (f.status = l2.label_id) and (19 = l2.tbl) and (f.lang_id = l2.lang_id) ,statuses s where (f.status = s.code) and (s.type_id = 4) and (f.access_id in (1, 2)) and (f.faq_id = 510'12fbe8cf7124b4a018b46030)
 
This format string bug is NOT dependent on there being SQL injection present.  To get the format string you just have to cause an error example

http://www.victim.com/cgi-bin/ecust.cfg/php.exe/enduser/std_adp.php?p_admin=1&p_faqid=510>

This obviously indicates that the Format String is in the Error Handling process.

Regards

Mark Litchfield
www.ngssoftware.com
Tel +44 1241 431367
email: mark@ngssoftware.com

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-10-27 14:24 UTC] sniper@php.net

What exactly you think the bug is here?
And have you read this ever:

http://www.php.net/manual/en/security.cgi-bin.php

[2002-10-27 18:45 UTC] iliaa@php.net

Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions. 

Thank you for your interest in PHP.

You should validate user passed input before inserting it into your SQL queries.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Mon May 12 15:01:27 2025 UTC