SQL injection vulnerabilites
Brought to you by:
rediculum
Menu
▾
▴
#2 SQL injection vulnerabilites
Just from looking at welcome.php I noticed two grave security problems. First, no care was taken to prevent SQL injections. From welcome.php:
$passdb = mysql_fetch_array(mysql_query("SELECT password FROM users WHERE username='$_REQUEST[name]'"));
This seems to be a problem with every single php file in this project.
Also, md5 (without salt!) is a terrible choice for hashing passwords. If anyone is using this software on a machine that is connected to the internet, all data including passwords should be considered compromised.
Hi Felix, first of all thanks for your feedback.
SQL injection: Yes you are right. At time I coded the app, PHP offered magic_quotes_gpc to prevent SQL injections. I saw that this feature is depreceated since PHP 5.3 and removed since 5.4. I will update the code asap.
MD5 password: index.php checks if the connection is encrypted by ssl and aborts if not. I've made tests by sniffing traffic by myself with encrypted and unencrypted logins and the MD5 hash is def. not visible if its SSL. It's everyone's own risk not using SSL for HES.
Anyway I will try to find a way to configure a desired hash.
Roland, thank you for taking these problems seriously. However, the point of hashing is not to protect the password in transit (after all, they are only hashed after they are sent over the wire) but to prevent an attacker to have access to the plain text when a vulnerability is discovered (such as the SQL injections in your code).
This seems like a good introduction to the topic: http://throwingfire.com/storing-passwords-securely/
Thanks for your input. I'll take care about.
Honestly SQL injection and MD5 passwords are not the only security holes in HES. There's also XSS inside. Maybe you find it out :)
Really only looked at welcome.php before I decided I wanted to use something else and thought it would be a good idea to have my findings documented somewhere.