From: becki at beckspaced dot com Operating system: suse linux PHP version: Irrelevant PHP Bug Type: Unknown/Other Function Bug description: bug in get_magic_quotes_gpc() function ??
Description: ------------ hello , seems to be a bit of a strange thing with this get_magic_quotes_gpc() function ! found this strange behaviour with PHP because of the widley used advanced guestbook 2.3.1 at http://proxy2.de ! there's an exloit available on the internet => http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2004-04/0290.html anyway .. while testing the exploit on my runing online server with Suse linux 8.1 and PHP 4.2.2 the exploit worked fine at the first time. but today, the day after, it doesn't work at all and get_magic_quotes_gpc() function seems to work fine ! but it does NOT all the time !! really strange behaviour !! also tested this exploit on my development server with suse linux 9.0 and PHP 4.3.3 and it doesn't work ... or probably sometimes does ... still don't know exactly as PHP doesn't seem to do the same thing all the time !! really strange ! then went on the internet and looked for all these guestbooks at google.com => http://www.google.com/search?q=advanced+guestbook+proxy2+HTML+code+is+disabled&ie=UTF-8&hl=en&btnG=Google+Search&meta= on some guestbooks the exploit works and on others not ! they all use different PHP versions .... starting from 4.2.2 up to 4.3.7 and have to say the exploit worked perfectly also with version 4.3.7 !! but it does ONLY sometimes ... not all the time !!! also posted a small website on the internet with some more detailed info on this very strange behaviour of the get_magic_quotes_gpc() function => http://www.beckspaced.com/gb_fix/index.php well ... hopefully someone can tell a bit more about this strange behaviour of get_magic_quotes_gpc() as it is used quite often to addslash strings before sending it to a query to the database ... SQL injection !!! all the best becki a bit of code below => Reproduce code: --------------- function checkPass($username,$password) { //global $username, $password; $query = "SELECT ID FROM ".$this->table['auth']." WHERE username='$username' and password=PASSWORD('$password')"; $this->query($query); $this->fetch_array($this->result); return ($this->record) ? $this->record["ID"] : false; } function checkSessionID() { global $username, $password, $session, $uid; if (isset($session) && isset($uid)) { return ($this->isValidSession($session,$uid)) ? array("session" => "$session", "uid" => "$uid") : false; } elseif (isset($username) && isset($password)) { if (!get_magic_quotes_gpc()) { $username = addslashes($username); $password = addslashes($password); } $ID = $this->checkPass($username,$password); if ($ID) { $session = $this->generateNewSessionID($ID); return array("session" => "$session", "uid" => "$ID"); } else { return false; } } else { return false; } } Expected result: ---------------- well ... i expect to do the addslashes on the $username and $password if the get_magic_quotes_gpc() function isn't turned ON in the php.ini ! if it's turned on already then the addslashes are done automatically !! Actual result: -------------- the actual result is weird !! sometimes it does the addslashes ... and sometimes it doesn't ;-( -- Edit bug report at http://bugs.php.net/?id=28906&edit=1 -- Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=28906&r=trysnapshot4 Try a CVS snapshot (php5): http://bugs.php.net/fix.php?id=28906&r=trysnapshot5 Fixed in CVS: http://bugs.php.net/fix.php?id=28906&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=28906&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=28906&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=28906&r=needscript Try newer version: http://bugs.php.net/fix.php?id=28906&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=28906&r=support Expected behavior: http://bugs.php.net/fix.php?id=28906&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=28906&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=28906&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=28906&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=28906&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=28906&r=dst IIS Stability: http://bugs.php.net/fix.php?id=28906&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=28906&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=28906&r=float