If the language developers cannot get it right...



  • http://www.zend.com/'coolsqlinjection

    That actually suprised me as they <a href="http://www.zend.com/en/behind-the-site>claim to use Zend_Db</a> on which using non-parameterized queries are actually more trouble than parameterized queries (assuming query uses single quotes instead of double ones. But after seeing that, I doubt they are using them...).</p> <p>(I actually did send their security team a message regarding this 2 or 3 weeks ago, but since they haven't contacted back nor fixed it, I might as well post it)</p>



  • @Buzer said:

    (I actually did send their security team a message regarding this 2 or 3 weeks ago, but since they haven't contacted back nor fixed it, I might as well post it)

    It seems they fixed it now (you just get a 'not found' page).  Maybe TDWTF was just what the doctor ordered :-)



  • @arty said:

    It seems they fixed it now (you just get a 'not found' page).  Maybe TDWTF was just what the doctor ordered :-)

    Still seems to work? (of course, the update might not have been propagated over their whole cluster yet, but that would be wtf as well)



  • @Buzer said:

    @arty said:
    It seems they fixed it now (you just get a 'not found' page).  Maybe TDWTF was just what the doctor ordered :-)

    Still seems to work? (of course, the update might not have been propagated over their whole cluster yet, but that would be wtf as well)
     

    Aha... Only works when the client is IE.  /me stand corrected.

    Edit note: I only tested firefox and IE.  Maybe other browsers are more IErrific too.



  • @arty said:

    @Buzer said:

    @arty said:
    It seems they fixed it now (you just get a 'not found' page).  Maybe TDWTF was just what the doctor ordered :-)

    Still seems to work? (of course, the update might not have been propagated over their whole cluster yet, but that would be wtf as well)
     

    Aha... Only works when the client is IE.  /me stand corrected.

    Edit note: I only tested firefox and IE.  Maybe other browsers are more IErrific too.

    It also "works" (or doesn't work, in that it displays the SQL error) in Opera.



  • @arty said:

    @Buzer said:

    @arty said:
    It seems they fixed it now (you just get a 'not found' page).  Maybe TDWTF was just what the doctor ordered :-)

    Still seems to work? (of course, the update might not have been propagated over their whole cluster yet, but that would be wtf as well)
     

    Aha... Only works when the client is IE.  /me stand corrected.

    Edit note: I only tested firefox and IE.  Maybe other browsers are more IErrific too.

     

    Huh... doesn't work on Firefox with fake IE user agent either. Any idea what IE does different?

    <edit> Apparently it works on everything except Firefox. I'm baffled.



  • @PSWorx said:

    Huh... doesn't work on Firefox with fake IE user agent either. Any idea what IE does different?

    <edit> Apparently it works on everything except Firefox. I'm baffled.

    Clearly all hackers use Firefox, so there's no point wasting processor cycles escaping inputs from any other browser...

    ...

    ...



  • Breakage is visible if you visit 'coolsqlinjection, but not if your browser transforms it into %27coolsqlinjection



  • It gets even better... it seems they're using the raw URL string! Try:



    '); -- coolsqlinjection



    The %xx encoded chars are being passed straight in to the database!



  • Fascinating. The link goes to a 404 now.



  • @PSWorx said:

    [quote user="arty"]

    [quote user="Buzer"][quote user="arty"]It seems they fixed it now (you just get a 'not found' page).  Maybe TDWTF was just what the doctor ordered :-)


    Still seems to work? (of course, the update might not have been propagated over their whole cluster yet, but that would be wtf as well)[/quote] 

    Aha... Only works when the client is IE.  /me stand corrected.

    Edit note: I only tested firefox and IE.  Maybe other browsers are more IErrific too.

    [/quote] 

    Huh... doesn't work on Firefox with fake IE user agent either. Any idea what IE does different?

    <edit> Apparently it works on everything except Firefox. I'm baffled.

    [/quote]

    I believe Firefox translates the URLs behind the scenes to replace the quazi-legal characters with percent-encoding and doesn't tell the user. IE, Opera, and other browsers just send the request with the characters unencoded. Obviously, the site treats encoded strings different then non-encoded strings.



  • @MiffTheFox said:

    I believe Firefox translates the URLs behind the scenes to replace the quazi-legal characters with percent-encoding and doesn't tell the user. IE, Opera, and other browsers just send the request with the characters unencoded. Obviously, the site treats encoded strings different then non-encoded strings.

     

    Hmm, that makes sense. Of course, the people that will welcome that behavoir most are the crackers, since it gives clueless web admins a nice false sense of security... As we see here. You can connect to a web server with something other than a browser? NO WAI!

    Then again, since percent-encoding is already a WTF of its own, maybe the W3C is the culprit... as usual...



  •  I'm project lead for Zend Framework, and was involved with the current version of zend.com previous to moving full-time to the Zend Framework team two years ago.

    Much of zend.com is powered by third-party software.  The SQL injection reported here was never hitting Zend Framework, and certainly not Zend_Db; indeed, if you look at the error messages presented, they are straight from PHP's mysql functions. Zend_Db throws exceptions when it encounters error conditions, which result in much different output than what was dispayed.

    The vendors of the third-party software in question issued a patch for the SQL injection, and that patch has since been applied; this is why the issue no longer presents itself. The 404 page presented is standard throughout the site for pages that do not exist.

    Zend_Db itself uses prepared queries under the hood, and you have to work pretty hard to bypass this in order to pass unfiltered SQL to the engine. I can say with absolute confidence that those working on the areas of zend.com that utilize Zend Framework are using Zend_Db correctly, and ensuring that only prepared queries are used.  

    The Zend Framework team will work more closely with those working on zend.com to ensure that security issues like this do not go unpatched.



  • Matthew, can we get a public flogging of the third party? Please? Pretty please? Schadenfreude is the very force behind all that is TDWTF.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.