Menu
▾
▴
Re: [PHPiCalendar-DEV] Is this a new security vuln?
|
From: Jim Hu <ji...@ta...> - 2006-03-23 16:28:47
|
Scott, Thanks, I wish they would let us know before publishing on their website. :^( Glad you are subscribed to their alerts. Vuln #1 is from cookies, and I posted a temporary filling on the bbs - comment out the code that reads the cookie in init.inc.php. Vuln #2 is related to the publish scripts, which we technically say we don't support. We may need someone to take this on. Anybody? Getting back to #1, we really should not be using any superglobals without verifying their content. I've been thinking this for a while. I suggest that this should be a high priority item. The approach I am thinking of is a script that runs early that reads all of these, checks their content, and throws a breakin attempt error if anything looks inappropriate. There are two approaches to this: 1) Rewrite the content of the superglobals we use. This is probably not a good way, since as we add code, we may add a new $_GET or $_REQUEST that isn't checked. 2) Move all the validated content into a new array $clean[$key] (or some other array name) and then unset the other superglobals after the validation script runs. This is my preferred method, but it means that we may frustrate people who are trying to add new features or customize their code. What do people think? Jim ===================================== On Mar 23, 2006, at 8:22 AM, Scott Garman wrote: > I received this advisory from Secunia a couple of days ago and > wonder if it has been fixed yet? I'm not seeing any discussion of > it here or on the message board: > > http://secunia.com/advisories/19285/ > > If this is just the same issue that was fixed with this patch: > > http://phpicalendar.net/forums/viewtopic.php? > t=396&sid=fe5fe3f127aadecad7c0016108357259 > > please let me know. I have disabled a public PHPiCal installation > temporarily until I know for sure. > > Thanks, > > Scott > > -- > Scott Garman > sgarman at iname dot com > > > ------------------------------------------------------- > This SF.Net email is sponsored by xPML, a groundbreaking scripting > language > that extends applications into web and mobile media. Attend the > live webcast > and join the prime developer group breaking into this new coding > territory! > http://sel.as-us.falkag.net/sel? > cmd=lnk&kid=110944&bid=241720&dat=121642 > _______________________________________________ > Phpicalendar-devel mailing list > Php...@li... > https://lists.sourceforge.net/lists/listinfo/phpicalendar-devel |
