Gaby de Wilde
Joined: Nov 14, 2021 Posts: 13 From: The land of cheese
| Posted: 2024-08-30 05:52  
Fixing this php 1.4.4 thing I run into quite a few horrific ideas from long ago.
Imagine SQL queries build from things users submitted. Such a powerful concept to let users drop tables.
I had a forum one time where I allowed moderation by unregistered users, random people went wild deleting comments and topics. It fixed the spam problem, the next spammer would delete everything the previous one posted. Periodically I would restore the posts from backups.
But... any db query you like!? What a wild concept.
PHP had this overly creative idea to let you echo undefined variables as blank strings
But not just that, you could also POST or append key value pairs to the url and have them converted to $variables! This old forum made elaborate use of both. Just insert CHECKED into the checkbox html and it becomes checked. Oh and anyone can insert any other html string too as a bonus.
You can make links that include pretty much any html or js you wish into someones page.
It was perfectly normal to use MD5 for passwords. If you have the db you have all the passwords too!
And if everyone can run sql queries everyone has the passwords.
To make matters worse (they can be?) the language files have undefined variables in strings that get populated using EVAL()
This is so that visitors can also execute any PHP they want on the server if they so desire.
Oh I forgot, the mailer uses it too. I think the proverbial guests can send out any number of helpful product information emails.
There are some signs the admin people were fighting back by changing the variable names.
Oh, how people must have suffered....
 
|