#7 403 forbidden because of security vulnerability

closed-fixed
Bug (18)
9
2011-01-22
2009-08-14
Flominator
No

Hi there,

today my provider locked WikiBlame since yesterday there were some security problems, namely code injections. I'm not sure, how fast I will be able to fix this, since I first have to investigate, what exactly happened.

If anyone of you has some suggestions, what could be done to prevent code injections to wikiblame.php ( http://wikiblame.svn.sourceforge.net/viewvc/wikiblame/wikiblame.php?view=markup ) feel free to post some code or even patches.

I hope that we'll be able to solve the problem, soon.

Thanks for you patience,

Flo

Discussion

  • Nobody/Anonymous

    Flo, I haven't written anything in PHP, so I can't give you a patch, but.. if you know what got through, do a google search on the characters that were the SQL injection, or if this is the case - what it stored on the site/what it did, along with PHP, and I bet you will find the problem. I did something similar to this when I found code directing people to another sitee had been stored on a webpage of my site, and had too many applications to check. Sure enough, I found other discussions about this, and what applications were vulnerable and why.
    Hope that helps

     
  • Nobody/Anonymous

    Never process unchecked user input. Escape or ban SQL commands. Accepting semicolons causes most injection doom.

     
  • Flominator

    Flominator - 2009-08-18

    How can unescaped SQL commands be a problem if the script doesn't use any SQL?

     
  • Flominator

    Flominator - 2009-08-18

    Looks like the problem was an include command using an unchecked input variable. It was called this way:
    /wikiblame.php?user_lang=../../../../../../../../../../proc/self/environ%00

    I'm working on fixing it. I don't think it is going to take long.

    Regards,

    Flo

     
  • Flominator

    Flominator - 2009-08-18

    Problem was solved. Now waiting for my provider to reactivate WikiBlame.

     
  • Flominator

    Flominator - 2009-08-18
    • status: open --> open-fixed
     
  • Flominator

    Flominator - 2011-01-22
    • status: open-fixed --> closed-fixed
     

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

JavaScript is required for this form.





No, thanks