security bug in PHP-server-1.1
Niels Berkers
niels at quotar.com
Tue Apr 10 16:24:10 PDT 2007
Niels Berkers wrote:
> Niels Berkers wrote:
>> Hi All,
>>
>> i found a security bug in PHP-server-1.1
>>
>> with this line set in the example consumer I call my openID server:
>> Which will result in two javascript alert popups. I'm not much of a
>> hacker but i know this could lead to much bigger problems like
>> injections in PHP. The leased you should do is strip the htmltags from
>> all $sreg values in function setRequestInfo or better in function
>> Server_requestSregData ( earlier in the data processing )
>> ---------------------
>> $auth_request->addExtensionArg('sreg', 'policy_url',
>> 'http://www.openid.net">openid</a><script>alert("test")</script><a
>> href="http://www.openid.net');
>> ---------------------
>>
>>
>>
>> function setRequestInfo($info=null, $sreg=null)
>> {
>> if (!isset($info)) {
>> unset($_SESSION['request']);
>> } else {
>> $_SESSION['request'] = serialize($info);
>> $_SESSION['sreg_request'] = serialize($sreg);
>> }
>> }
>>
>> function getRequestInfo()
>> {
>> if (isset($_SESSION['request'])) {
>> return array(unserialize($_SESSION['request']),
>> unserialize($_SESSION['sreg_request']));
>> } else {
>> return false;
>> }
>> }
>>
>
>
> on common.php line 271+ patched function
> The input fields on the persona page aren't cleaned either.
>
>
> function Server_requestSregData($request)
> {
> $optional = array();
> $required = array();
> $policy_url = null;
>
> $request = Auth_OpenID::fixArgs($request);
>
> if (array_key_exists('openid.sreg.required', $request)) {
> $required = explode(",",
> htmlentities(strip_tags($request['openid.sreg.required']),ENT_QUOTES));
> }
>
> if (array_key_exists('openid.sreg.optional', $request)) {
> $optional = explode(",",
> htmlentities(strip_tags($request['openid.sreg.optional']),ENT_QUOTES));
> }
>
> if (array_key_exists('openid.sreg.policy_url', $request)) {
> $policy_url =
> htmlentities(strip_tags($request['openid.sreg.policy_url'],ENT_QUOTES));
> }
>
> return array($optional, $required, $policy_url);
> }
>
> br,
>
> Niels Berkers
> http://openid.quotar.com/ ( patched ;) )
>
some other patches for userinput
render.php line 168+
--org-------------------
foreach ($sreg_fields as $field) {
$profile[$field] $profile_form[$field];
}
------------------------
--new-------------------
foreach ($sreg_fields as $field) {
$profile[$field] =
htmlentities(strip_tags($profile_form[$field]),ENT_QUOTES);
}
------------------------
common.php line 179+ ( patch + username a-z,0-9,_ )
-org--------------------
function Server_accountCheck($username, $pass1, $pass2)
{
$errors = array();
if ($pass1 != $pass2) {
$errors[] = "Passwords must match.";
} else if (strlen($pass1) < MIN_PASSWORD_LENGTH) {
$errors[] = 'Password must be at least '.
MIN_PASSWORD_LENGTH.' characters long.';
}
if (strlen($username) < MIN_USERNAME_LENGTH) {
$errors[] = 'Username must be at least '.
MIN_USERNAME_LENGTH.' characters long.';
}
return $errors;
}
-------------------------
-new--------------------
function Server_accountCheck($username, $pass1, $pass2)
{
$errors = array();
$username = htmlentities(strip_tags($username),ENT_QUOTES);
$pass1 = htmlentities(strip_tags($pass1),ENT_QUOTES);
if ($pass1 != $pass2) {
$errors[] = "Passwords must match.";
} else if (strlen($pass1) < MIN_PASSWORD_LENGTH) {
$errors[] = 'Password must be at least '.
MIN_PASSWORD_LENGTH.' characters long.';
}
if (strlen($username) < MIN_USERNAME_LENGTH) {
$errors[] = 'Username must be at least '.
MIN_USERNAME_LENGTH.' characters long.';
}
if (preg_match("/(\W+)/",$username)){
$errors[] = 'Username can only consist of a-z,0-9,_';
}
return $errors;
}
-------------------------
More information about the Dev
mailing list