From: Roshen Chandran (roshen.chandran@paladion.net)
Date: Fri Sep 30 2005 - 01:16:55 EDT
Anne Beckman wrote:
> But how does that additional OR clause with
> 'hey'='hello solve the problem too?
The 3rd OR clause in the attack string makes the
password comparison clause irrelevant, much like the
way a comment made the AND clause irrelevant in SQL
Injection.
AND has higher precedence than OR, so the AND clause
is first evaluated with 'hey'='hello' and returns
false. After that all the OR clauses are evaluated.
Notice that 1=1 will always evaluate to true... so the
overall condition will evaluate to true even when the
password comparison fails.
The logic of the string is explained in better detail
in this Palisade article:
http://palisade.paladion.net/issues/2005Jul/xpath-injection/
Roshen.
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:01 EDT