Friday, April 21st, 2006

When Ajax Gets Abused

Category: Editorial

The programmer who wrote this code could have written scary code without Ajax, but this takes the cake:

javascript

  1. function saveform()
  2. {
  3.   var firstName = escapeSql(mainForm.elements.txtFirstName.value);
  4.   var lastName = escapeSql(mainForm.elements.txtLastName.value);
  5.   /* ... */
  6.   var offerCode = escapeSql(mainForm.elements.txtOfferCode.value);
  7.  
  8.   var code =
  9.   '  $cn = mssql_connect($DB_SERVER, $DB_USERNAME, $DB_PASSWORD)           ' +
  10.   '          or die("ERROR: Cannot Connect to $DB_SERVER");                ' +
  11.   '  $db = mssql_select_db($DB_NAME, $cn);                                 ' +
  12.   '                                                                        ' +
  13.   '  if (mssql_query("SELECT 1 FROM APPS WHERE SSN=\''+ssn+'\'", $cn)) ' +
  14.   '  { $ins = false; }                                                     ' +
  15.   '  else                                                                  ' +
  16.   '  { $ins = true; }                                                      ' +
  17.   '                                                                        ' +
  18.   '  if ($ins) {                                                           ' +
  19.   '    $sql = "INSERT INTO APPS (FIRSTNM, LASTNM, ..., OFFERCD) VALUES ("; ' +
  20.   '    $sql+= "\''+firstName+'\',";                                        ' +
  21.   '    $sql+= "\''+lastName+'\',";                                         ' +
  22.   '    $sql+= "\''+offerCode+'\')";                                        ' +
  23.   '                                                                        ' +
  24.   '  /* ... */                                                             ' +
  25.   '                                                                        ' +
  26.   '  mssql_query($sql, $cn);                                               ' +
  27.   '  mssql_close($cn);                                                     ';
  28.  
  29.   execPhp(code);
  30. }

This reminds us to be very strict with what we take in on the server side. Any old PHP? probably not a good thing ;)

Posted by Dion Almaer at 10:09 am
9 Comments

++---
2.8 rating from 28 votes

9 Comments »

Comments feed TrackBack URI

Indeed, this should remind us that AJAX is simply a different type of user input and should always be treated with the suspicion of a shifty-looking guy in a long overcoat with the collars pulled up and a wide brim hat!

Comment by Anonymous — April 21, 2006

Dion, your co-author Michael already told us about this last week:
http://ajaxian.com/archives/xhr-sql-injection-ajax-antipattern-illustrated

Comment by Matthias — April 21, 2006

Hehe… That’s one the most stupid things I’ve ever seen… It’s almost too stupid for a pontential evil-doer to even look for it!

Why would you even wanna do something like that?

Comment by Johan André — April 22, 2006

I don’t get it? Culd someone explain?

Comment by Armin — April 23, 2006

“I don’t get it? Culd someone explain?”

Basically the PHP code sits on the client-side (in amongst the JavaScript). Since everything on the client can be modified by a hacker (and I mean EVERYTHING), what’s to stop someone from completely rewriting that PHP code to do something else, something malicious, like DELETE data or DROP tables, databases etc. You could even rewrite the PHP to delete important files sitting on the server and thus completely screw up the web server.

Comment by Sunday Ironfoot — April 23, 2006

plus he should’ve done mysql_escape() :)

Comment by anon — April 24, 2006

The problem is that the developer implemented an “execPHP” function. That means that anyone can have a browser load the javascript source, and start sending execPHP commands to execute on the server, including getting server settings, emailing account info, emailing directory and file info, changing permissions, deleting files, uploading and executing a new file, you name it..

This is a gateway to run any code on the server. Might as well just have a text box on the page that says “type some code in, and we’ll execute it”.

Comment by Steve — April 24, 2006

Maybe hes trying to make it hacker friendly? :)

This is a good post that shows how some people don’t even consider security.

Comment by Tom — April 24, 2006

[…] You have just got to love The Daily WTF; If I can only read two feeds a day, it would be this and Slashdot. Anyway, Ajaxian quoted The Daily WTF for this piece of interesting (nonetheless scary) code. I think the comments on the Ajaxian post sums it all up.. The problem is that the developer implemented an “execPHP” function. […] This is a gateway to run any code on the server. Might as well just have a text box on the page that says “type some code in, and we’ll execute it”. […]

Pingback by myHYP » When Ajax Gets Abused — May 28, 2006

Leave a comment

You must be logged in to post a comment.