checking for security issues

[lmpb17]

I downloaded a free version of a pHp script that was dumped due to a big security hole. The problem is that I do not know where the security hole is and can't afford the expensive scripts. What would be the best way to find and fix the whole myself?

[mmetzger]

First question is what does the script do? That will lead you to the type of analysis you need to perform to try and find the issue / fix it. Please be aware though, a lot of security issues are subtle - if you're not proficient in PHP if may be difficult to find. Also, sometimes these issues have to do with the total environment (web server being used, version of PHP, etc) than simply a bug in the script.

If this is some variant that someone provided for free because of the security issue, but is charging for a fixed version - that's extremely poor form by the author. My advice is drop the script - You can find other instances of code, especially in PHP, to do what you want.

[lmpb17]

It is a website template script that tracks the actions of users (the users are aware of this lol). It is broken up into many files and I have been looking at a few and I have the feeling the hole is in the file that handles login information. I uploaded the script to a site just to test out some sql injection techniques but none of that has worked so far.

I have only been playing around with it for a day but I think this is the part with the hole:

Code:

$username = $_POST['username'];
                $password = $_POST['password'];
                $enpassword = md5(base64_encode(md5($password)));
        }
        $cookiepass = md5($password);
        $time = time();
        $autologin = $_POST['autologin'];
        if ($username != NULL && $password != NULL) {
                include("includes/db.php");
                $usercheck = mysql_query("SELECT * from users WHERE username='$username'and password='$enpassword'");

[mmetzger]

Code:

$usercheck = mysql_query("SELECT * from users WHERE username='$username'and password='$enpassword'");

This is very much a SQL Injection vulnerability. Basically, the user is able to enter whatever they want with no checks on content. A user could theoretically enter the following:

Code:

' OR 1=1; --

It'd need to be fiddled with a bit based on the actual database to get full info - or the nastier method is to delete tables, change passwords, add entries, etc.

To fix it, the strings need to be escaped. I'm not as aware of how to fix these in PHP - Peejavery or one of the other guys may be able to help further there....

[PeejAvery]

Ouch. I wouldn't have that code live if I were you.

PHP 4 and 5 come with Magic Quotes. This will automatically escape all client to server passed variables (GET & POST). However, not all PHP configurations have this turned on. In fact, for PHP 6 it has been deprecated. So, here is what I would suggest doing at the top of every page you process GET or POST variables.

PHP Code:

<?php
if (!get_magic_quotes_gpc()) {
  foreach ($_POST as $k => $v) { // you can also change this to $_GET for URL variables
    $_POST[$k] = mysql_real_escape_string($v);
  }
}
?>

[lmpb17]

Thank you. I figured that was the issue and I did try to inject

Code:

' OR 1=1; --

but I just realized the reason it didnt work was that there were no users registered to the database.

PeejAvery - for the solution you posted, can I just add that to one of the main include files, so this way I don't have to go into every file and change it manually?

[PeejAvery]

Sure. Just make sure that the includes file is on every page where POST or GET data is acquired.