Security and Update

Mimi
2011-05-23
2013-05-28
  • Mimi
    Mimi
    2011-05-23

    To do (urgent) list

     
  • Mimi
    Mimi
    2011-05-23

    Hi,

    Apologies for the first post, I make a mistake.
    I have to work with refbase for a University French Project.
    Doubtless, refbase offers a lot of possibilities and options. It's a complet and interesting solution.

    However (oops ^^), refbase presents some vulnerabilities : the SQL query is in URL, I can intrudoce JavaScript Code and make apocalypse, various functions used are depreciated.

    It's too bad, but I believe in the refbase project for all the features already presents. I would like to know the plan for the development of this project. I can't implements refbase to my project with too much vulnerabilities.

    Perhaps, I can't help the development : ) ?

    Thanks a lot.

     
  • the SQL query is in URL

    Yes, but it is also sanitized and checked in the code.  If you have an example of a particular vulnerability, feel free to email the dev list.

    various functions used are depreciated.

    Yes, but most aren't deprecated due to security concerns: they were deprecated due to the superior implementation of the perl regex library.  There are ongoing efforts to replace all deprecated functions.

    Perhaps, I can't help the development : ) ?

    We are happy to answer any question and will consider all code contributions.

     
  • Mimi
    Mimi
    2011-05-23

    - About SQL query in URL :
    I saw on the topic "mod_security / SecFilterEngine issue" that I have to desactivate mod_security. Yet, it is a very complete, recognized and useful module. It is even recommended by the NSA (National Security Agency). I have to conclude that mod_security and refbase are not compatible ?
    I saw also on this same topic that put SQL query on URL is "flexible and powerful". And about PDO ? Isn't the way flexible, powerful and secure ? Refbase can integrate this ?

    - Passing all in the URL permit insertion of JavaScript Code. It's a big vulnerability, and in the last version of refbase there are yet faults.

    - Functions deprecated : nice this will change

    I would like to understand better the way of work of refbase, to permit use it better

     
  • I have to conclude that mod_security and refbase are not compatible

    This is a false conclusion. You can enable or disable filters in mod_security. A very common filter is:

    SecFilter "select.+from"
    

    and this single filter is not compatible with refbase. You can disable this filter for only the refbase directory and should be fine.

    And about PDO ? Isn't the way flexible, powerful and secure ? Refbase can integrate this ?

    Sure; PDO is great. But keep in mind that refbase predates PDO and refbase still runs on pre-php5 systems, where PDO would need to be installed separately. I'm not opposed to PDO & if you want to modify refbase to use it, go for it! But it is a big job.

    Passing all in the URL permit insertion of JavaScript Code. It's a big vulnerability, and in the last version of refbase there are yet faults.

    Again: feel free to contact the dev list with specific concerns. The SVN version has some sanitation against XSS & we've discussed additional measures.

    -Rick

     
  • Mimi
    Mimi
    2011-05-25

    Hi,

    Thank a lot for your answer.
    I would like to contact the dev list, but I don't find where. Can you indicate to me please ?

    Thanks again

     
  • refbase-developer@lists.sourceforge.net