Friday, April 21st, 2006
When Ajax Gets Abused
Category: Editorial
The programmer who wrote this code could have written scary code without Ajax, but this takes the cake:
JAVASCRIPT:
-
-
function saveform()
-
{
-
var firstName = escapeSql(mainForm.elements.txtFirstName.value);
-
var lastName = escapeSql(mainForm.elements.txtLastName.value);
-
/* ... */
-
var offerCode = escapeSql(mainForm.elements.txtOfferCode.value);
-
-
var code =
-
' $cn = mssql_connect($DB_SERVER, $DB_USERNAME, $DB_PASSWORD) ' +
-
' or die("ERROR: Cannot Connect to $DB_SERVER"); ' +
-
' $db = mssql_select_db($DB_NAME, $cn); ' +
-
' ' +
-
' if (mssql_query("SELECT 1 FROM APPS WHERE SSN=\''+ssn+'\'", $cn)) ' +
-
' { $ins = false; } ' +
-
' else ' +
-
' { $ins = true; } ' +
-
' ' +
-
' if ($ins) { ' +
-
' $sql = "INSERT INTO APPS (FIRSTNM, LASTNM, ..., OFFERCD) VALUES ("; ' +
-
' $sql+= "\''+firstName+'\',"; ' +
-
' $sql+= "\''+lastName+'\',"; ' +
-
' $sql+= "\''+offerCode+'\')"; ' +
-
' ' +
-
' /* ... */ ' +
-
' ' +
-
' mssql_query($sql, $cn); ' +
-
' mssql_close($cn); ';
-
-
execPhp(code);
-
}
-
This reminds us to be very strict with what we take in on the server side. Any old PHP? probably not a good thing ;)
2.7 rating from 23 votes
Indeed, this should remind us that AJAX is simply a different type of user input and should always be treated with the suspicion of a shifty-looking guy in a long overcoat with the collars pulled up and a wide brim hat!
Dion, your co-author Michael already told us about this last week:
http://ajaxian.com/archives/xhr-sql-injection-ajax-antipattern-illustrated
Hehe… That’s one the most stupid things I’ve ever seen… It’s almost too stupid for a pontential evil-doer to even look for it!
Why would you even wanna do something like that?
I don’t get it? Culd someone explain?
“I don’t get it? Culd someone explain?”
Basically the PHP code sits on the client-side (in amongst the JavaScript). Since everything on the client can be modified by a hacker (and I mean EVERYTHING), what’s to stop someone from completely rewriting that PHP code to do something else, something malicious, like DELETE data or DROP tables, databases etc. You could even rewrite the PHP to delete important files sitting on the server and thus completely screw up the web server.
plus he should’ve done mysql_escape() :)
The problem is that the developer implemented an “execPHP” function. That means that anyone can have a browser load the javascript source, and start sending execPHP commands to execute on the server, including getting server settings, emailing account info, emailing directory and file info, changing permissions, deleting files, uploading and executing a new file, you name it..
This is a gateway to run any code on the server. Might as well just have a text box on the page that says “type some code in, and we’ll execute it”.
Maybe hes trying to make it hacker friendly? :)
This is a good post that shows how some people don’t even consider security.
[...] You have just got to love The Daily WTF; If I can only read two feeds a day, it would be this and Slashdot. Anyway, Ajaxian quoted The Daily WTF for this piece of interesting (nonetheless scary) code. I think the comments on the Ajaxian post sums it all up.. The problem is that the developer implemented an “execPHP” function. […] This is a gateway to run any code on the server. Might as well just have a text box on the page that says “type some code in, and we’ll execute it”. [...]