Thread: [Secureideas-base-devel] [ secureideas-Bugs-2874199 ] Changing packet display type shows error mess
Brought to you by:
secureideas,
sinukas
From: Randal T. R. <ra...@pr...> - 2009-11-21 04:00:55
|
In reference to the following bug report: SourceForge.net wrote: > Bugs item #2874199, was opened at 2009-10-07 16:49 Message generated > for change (Comment added) made by jleising You can respond by > visiting: > https://sourceforge.net/tracker/?func=detail&atid=635582&aid=2874199&group_id=103348 > > > Please note that this message will contain a full copy of the comment > thread, including the initial issue submission, for this request, not > just the latest update. Category: Interface Group: BASE Status: Open > Resolution: None Priority: 7 Private: No Submitted By: > Nobody/Anonymous (nobody) Assigned to: Randal Rioux (rrioux) Summary: > Changing packet display type shows error message > > Initial Comment: When changing the packet display type (Normal > Display or Plain Display), and error is shown with version 1.4.4: > > invalid (sid,cid) pair (,) > > Clicking [Back] shows the correct display. Juergen said: > this problem has been introduced by > > http://secureideas.cvs.sourceforge.net/viewvc/secureideas/base-php4/base_qry_alert.php?r1=1.61&r2=1.62 > > > You can fix it by removing urlencode() when its argument is $query. > > However, this reverts the fix for some of those XSS flaws. Now, I'm no expert on XSS (finally bought a book on it!), but I think we're better off with a working function than a broken one that is highly unlikely to be taken advantage of on properly secured networks. Before the next version, I'd like this code to work. Does anyone else have a suggestion? I've tried other string-cleaning functions but none so far work (something is off here). Thanks! Randy |
From: Kevin J. <ke...@in...> - 2009-11-21 15:41:12
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Nov 20, 2009, at 11:00 PM, Randal T. Rioux wrote: > In reference to the following bug report: > > SourceForge.net wrote: >> Bugs item #2874199, was opened at 2009-10-07 16:49 Message generated >> for change (Comment added) made by jleising You can respond by >> >> Initial Comment: When changing the packet display type (Normal >> Display or Plain Display), and error is shown with version 1.4.4: >> >> invalid (sid,cid) pair (,) >> >> Clicking [Back] shows the correct display. > > Juergen said: > >> this problem has been introduced by >> >> http://secureideas.cvs.sourceforge.net/viewvc/secureideas/base-php4/base_qry_alert.php?r1=1.61&r2=1.62 >> >> >> You can fix it by removing urlencode() when its argument is $query. >> >> However, this reverts the fix for some of those XSS flaws. > > Now, I'm no expert on XSS (finally bought a book on it!), but I think > we're better off with a working function than a broken one that is > highly unlikely to be taken advantage of on properly secured networks. I am a little concerned with this idea as no network I know of actually prevents XSS from running on all of their clients. (Sadly) > > Before the next version, I'd like this code to work. Does anyone else > have a suggestion? I've tried other string-cleaning functions but none > so far work (something is off here). Could we just strip anything that wasn't a number or the : ?? Kevin Kevin Johnson Senior Security Analyst InGuardians, Inc. office: 202.448.8958 cell: 904.403.8024 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (Darwin) iEYEARECAAYFAksICggACgkQGDcWptZ2zmRP7ACdFRMJRJ5oWk0N5lcg/eI0P+/5 XAoAn0XU43M2t01gLK6BGlt289qNh4L5 =OvqY -----END PGP SIGNATURE----- |
From: Juergen L. <jue...@gm...> - 2009-11-21 15:54:01
|
On Fri, Nov 20, 2009 at 11:00:39PM -0500, Randal T. Rioux wrote: (...) > Before the next version, I'd like this code to work. Does anyone else > have a suggestion? I've tried other string-cleaning functions but none > so far work (something is off here). You are right, it should really work. I have put it back to the old state. We simply cannot urlencode a complete query string. A query string has a fixed syntax. If we do not follow this syntax, it becomes a string, but not a query string. And if we urlencode it, then eventually we will have to urldecode it. While this would be possible, it would be a major change of the whole source code of BASE. Bye, bye Juergen |