Hello Jake, Wednesday, November 7, 2007, 1:17:14 PM, you wrote:
> Try: > http://cl1p.net/ > I'd be willing to take a look after you post it. > - jake > On Nov 7, 2007 12:12 AM, <[EMAIL PROTECTED]> wrote: >> Hello Jake, >> >> >> Wednesday, November 7, 2007, 12:52:11 PM, you wrote: >> >> > Without divulging who your client is, would it be possible to remove >> > any references to their site/company from the offending code and post >> > it here? Without access to your registration.php script I think we'll >> > all just be wasting our time with wild guesses. >> >> > - jake >> >> > On Nov 6, 2007 11:31 PM, <[EMAIL PROTECTED]> wrote: >> >> Hello All, >> >> >> >> I have a client site that has a registration form with a captcha image >> >> that is suppose to prevent spammers from dumping their junk. The form >> >> has two text input windows and a fair amount of personal information >> >> is collected as well. >> >> >> >> I just noticed that this client has been getting regular injection >> >> attacks that have been failing because it is a comment spammer and the >> >> INSERT query is failing on a duplicate key error. For privacy and >> >> security reasons I can not post the error message but it cites the php >> >> file name and the injection looks like it is being added to one of the >> >> text boxes. >> >> >> >> The form has "Required" fields as well as a check function that is >> >> suppose to check for valid input. All of those fields are empty in the >> >> query that failed. >> >> >> >> The question is, actually multiple related questions: >> >> >> >> First how did that bad guy "execute" the query without hitting the >> >> submit button or entering the captcha code and how did it bypass the >> >> check function. It seems like the query was sent directly to the >> >> database though the registration.php program but I have no clue how >> >> that could have happened. I need to plug this hole but don't have any >> >> idea where to start looking for it. >> >> >> >> I have tried running the query like registration.php?query but that >> >> didn't work. >> >> >> >> Any ideas about how I can reproduce this problem would greatly >> >> appreciate and any suggestions about how to fix it would be even more >> >> greatly appreciated. 8-) >> >> >> >> Thanks for your attention. >> >> >> >> >> >> -- >> >> Best regards, >> >> mikesz mailto:[EMAIL PROTECTED] >> >> >> >> _______________________________________________ >> >> New York PHP Community Talk Mailing List >> >> http://lists.nyphp.org/mailman/listinfo/talk >> >> >> >> NYPHPCon 2006 Presentations Online >> >> http://www.nyphpcon.com >> >> >> >> Show Your Participation in New York PHP >> >> http://www.nyphp.org/show_participation.php >> >> >> > _______________________________________________ >> > New York PHP Community Talk Mailing List >> > http://lists.nyphp.org/mailman/listinfo/talk >> >> > NYPHPCon 2006 Presentations Online >> > http://www.nyphpcon.com >> >> > Show Your Participation in New York PHP >> > http://www.nyphp.org/show_participation.php >> >> > __________ NOD32 2642 (20071106) Information __________ >> >> > This message was checked by NOD32 antivirus system. >> > http://www.eset.com >> >> Actually, the script code is not problem but its over 500 lines of >> code so I am not sure it is appropriate to post it here? >> >> >> -- >> >> Best regards, >> mikesz mailto:[EMAIL PROTECTED] >> >> _______________________________________________ >> New York PHP Community Talk Mailing List >> http://lists.nyphp.org/mailman/listinfo/talk >> >> NYPHPCon 2006 Presentations Online >> http://www.nyphpcon.com >> >> Show Your Participation in New York PHP >> http://www.nyphp.org/show_participation.php >> > _______________________________________________ > New York PHP Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > NYPHPCon 2006 Presentations Online > http://www.nyphpcon.com > Show Your Participation in New York PHP > http://www.nyphp.org/show_participation.php > __________ NOD32 2642 (20071106) Information __________ > This message was checked by NOD32 antivirus system. > http://www.eset.com Here is the URL : http://cl1p.net/myexploitedcode/ thanks, mikesz -- Best regards, mikesz mailto:[EMAIL PROTECTED] _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php
