Can you help me with a script that will accomplish the following:
either a prepared statement for sql queries. OR some kind of script that will limit what people can pass through the URL.I would like to see queries passed via POST only, but I do not know how to do that. I have a library of data sanitizing functions added to your data sanitzation. This helps wirth scripts.
The problem is even if I set VERY limited permissions for user_id =0 in phpMyAdmin. I still see that someone can pass a SQL sub statement and get the user name and password for the users. Once they do that, they have admin privileges. Can you give me something, a script or remedy, that will limit user_id=0 to only being able to select from the refs table and NO other table. And will limit what gets passed as a query to only the fields in the refs table?
I have already restricted user_id=0 and user_id=1 (which is user@refbase) in phpMyAdmin to select only from the refs table. But, this appears to do no good when the sub SQL query is passed directly via the url.
Please help. My database has already been hacked and taken down by my organization because the hackers got into a higher directory though the URL. So, I rebuilt the database using the most recent version of refbase and the SQL injection is still possible in this latest version.
Please contact us by email if you think that you are reporting unpatched security issues:
which version are you running? SVN bleeding-edge branch?
What library are you running for additional sanitization?
Example of URL that you think is not* sanitized
Accepting only POST and not GET is technically possible, but offers no additional security (save through obscurity) & actually does have a few complications.
It isn't clear to me what you are doing in phpMyAdmin (which would not use the refbase user table).
I'd like to provide our other users a brief update on this. While there is not yet evidence of a vulnerability in the default installation, we have discovered an issue in deployments that are configured in a way that we have advised against. We will likely address this by detecting the configuration and strongly advising an administrator against running this way and/or by taking a "boot and suspenders" view by modifying our filters.