Archive for the ‘PHP’ Category

« Older Entries

MongoDB is vulnerable to SQL injection (in PHP at least)

Thursday, July 29th, 2010

Its a misconception amongst some PHP programmers that because MongoDB doesn’t use SQL (all queries are passed in as either BSON or PHP objects which have been converted into BSON) it isn’t vulnerable to SQL injection. It is pretty easy to show that if your lazy and complacent when you code you can leave yourself just as vulnerable to attack.

Lets assume we have a table of users with a username and password field. In MySQL you’d be asking for trouble if in your authentication function you did the something along the lines of the following:

if (mysql_query(“SELECT * FROM users WHERE username=’$_GET['username']‘ AND password=’” . $_GET['password'] . “’”)) {
do_auth();
}

And someone passed in

‘ OR ‘1′=’1

into your password field. If you simply checked the response and authenticated the user based on if a row was received from the MySQL Database the user would authenticate as the $_GET['username'] every time. The correct approach would be to sanitize your $_GET parameters before you pass them into MySQL.

In MongoDB you might be tempted to do something like

if ($result = $mongo->test->users->findone(array(”username” => $_GET['username'], “password” => $_GET['password']))) {
do_login();
}

No query language no SQL injection right? Wrong. Epic fail. Don’t forget in PHP when you append [] to a $_GET['variable'] it turns into an array within php.

http://woot.php?variable[]=hello

$_GET['variable'] is now a PHP array(0 => ‘hello’). We can even assign the key of the array like this

http://woot.php?variable[ne]=hello

Now $_GET['variable'] is a PHP with array with a key array(’ne’ =>’hello’). When you pass this to mongo db as your password paramater it evaluates to “Password does not equal ‘hello’” which will pass every time.

What can you do? Sanitise your input. Don’t allow multi dimensional arrays to be passed as a input parameters to mongo. Surprisingly there isn’t a function built into the mongodb pecl extension to do this, With more and more large sites turning to MongoDB its only going to be a matter of time before a large website is found to be vulnerable to this type of attack.

Tags: , , , ,
Posted in MySQL, PHP, Security | No Comments »

Creating a JQuery and PHP powered chess engine

Sunday, June 20th, 2010

Im currently writing a fully functioning chess engine written in PHP with a JQuery front end. Its going to support a dictionary of openings, endgame tables, pondering and use a minimax game tree with alpha beta pruning….

Check out a screen shot below

PHPChess

Hopefully I’ll have something up which people can play by the end of the week, tho it might not support all the features mentioned above straight away.

Update 29th July I got side tracked with some other stuff, I’m still working on this, its just going to take a while to finish off. So far I’ve got a basic move generator which passes perft tests I’m still working on the board evaluation function.

Posted in HTML, PHP | No Comments »

How not to advertise for a PHP programming job

Wednesday, October 28th, 2009

So I got an email today for a job in Tower Hill (thats central london). The job came with a simple programming test to write a script that parsed a tab separated file and produced a batch script as the output. They kindly provided a working copy of their solution on their website so you could validate the output of your code.

If I was going to advertise a job in a company and provide an online example of my own code I’d make darn sure that, unless the sole purpose of my online code was to find someone who knew what an XSS flaw was, that the link to the script I sent a prospective employee to wasnt vunerable to Cross Site Scripting attacks. Eeek. Worse still as their script seemed to accept either GET or POST variables as inputs (they were probably checking $_REQUEST rather than $_POST or $_GET in their code) it was possible to format a link that injected HTML code straight into their website.

Screenshot of the flaw with 'Cheese!!' being injected.

Screenshot of the flaw

You can mitigate the threat from these types of attacks by properly sanitizing your variables before they are displayed. If this is on a HTML page and you are expecting an integer value then intval might be a good function to use, if its a text field you might try htmlentities. If any data is going into a database then you need to be using mysql_escape_string on all of your variables.

As I’ve not alerted the company to the flaw I wont post the URL to the exploit. Luckily the page in question can’t be found within googles’ indexes. I wonder if anyone else will notice…

Tags: , , , , , ,
Posted in PHP, Security | No Comments »

Problems with wordpress 404 page not showing

Friday, September 11th, 2009

I recently had an issue with the 404 page not displaying in Wordpress. I Googled heavily and couldnt find the solution to my problem. The issue was causing a blank page to appear (the theme itself appeared but not the text in 404.php) – there were no visible errors. I was pretty certain there was nothing wrong with my theme, mainly due to the fact that there were no PHP errors showing and get_404_template() returned the correct location of my 404.php file.

After reading this post on the wordpress support forums I wondered if it might be a server setting. Looking further into the is_404 function I discovered that was being set by the set_404 function which was being called in wp-includes/classes.php from handle_404. This was where I found my issue. Inside handle_404 you find the following line


<?
if ( (== count($wp_query->posts)) && !is_404() && !is_search() && ( 
$this->did_permalink || (!empty($_SERVER['QUERY_STRING']) && (false === 
strpos($_SERVER['REQUEST_URI'], ?))) ) ) { 
?>

Which checks the $_SERVER['QUERY_STRING'] – for some reason this wasn’t being set on my server for reasons that I’m still not 100% clear about. Anyway, removing the $_SERVER['QUERY_STRING'] from the if statement solved the problem for the mean time and my 404 pages now work like a charm. I’m currently still trying to work out whats causing QUERY_STRING to become unset – i’ll let you know when I’ve worked it out.

Tags:
Posted in PHP, Wordpress | 1 Comment »

Detecting a fake email address using Markov chains

Saturday, August 22nd, 2009

Markov chains are a set of states where any state is only dependant on the previous state. These can be used to generate “real-looking” words from a given set of text. By the same methods we can decide if a string is a valid word or a load of garbage by assessing each letter and its subsequent letter in word. If the probability of letter N+1 coming after N is very small then we can probably say that the chance of the string being a word is very small.

When users sign up with a fake email address they tend not to put much thought into the name of the email. Something like sdfjsldkf87we@example.com is a good example. To filter these email addresses out we can take a dictionary and calculate the probability of the next letter (N+1) given the previous letter (N) and compare this to what we observe in the fake email address. If the probability of the next letter is repeatedly low then we can say that the email address is probably fake.

My algorithm scores each email, giving it a point each time a letter N+1 should never come after letter N and reducing the score by 1 for every 12 characters in the email address. This additional check helps to reduce the number of false positives. I only check the initial part of the domain – that is the part excluding the @example.com

You’ll probably wonder how the code deals with non alpha-numeric numbers? I just strip them out and convert the whole email to lower-case. There is probably a better method for doing this but my existing system seems to work quite well. The table below shows my algorithm running on a few sample email addresses. I consider an email with a score of 3 or more to be dodgy.

E-mail Score
phil.hilton@markov-email.com 0
bill.gates@microsoft.com 0
sdfioghsjfkg@gmail.com 3
tracy93@wow-markov.net 0
pzrjmt@yahoo.com 4
gquixdmd@yahoo.com 3
svcmgr1461@yahoo.com 3
hjjjh_hjjh@yahoo.com 7

This method isn’t fail-proof but it is pretty good at detecting bad email addresses and you could use it along with additional checks on the users account to detect fraudulent activity. There will be some false positives, mainly with people who use email addresses which heavily rely on their initials and I’m sure its only a matter of time before the people start committing the fraud start using Markov compliant email addresses.

Download my code There are 2 main files, markov.php which contains example code and markovChain.dat which contains a pre-calculated Markov chain.

Tags: , , ,
Posted in MySQL, PHP, Security | No Comments »

« Older Entries