security bug in PHP-server-1.1

Niels Berkers niels at quotar.com
Wed Apr 11 10:33:57 PDT 2007 

for those who like to clean incomming content before your server is 
hacked. The following code line 216 in common.php


function Server_cleanRequest($aReq){
         foreach ($aReq as $sKey => $mValue){
                 if (FALSE != is_array($mValue)){
                         foreach ($mValue as $mValueKey => $mValueValue){
                                 $mValue[$mValueKey] = 
htmlentities(strip_tags($mValueValue),ENT_QUOTES);
                         }
                         $aReq[$sKey] = $mValue;
                 } else {
                         $aReq[$sKey] = 
htmlentities(strip_tags($mValue),ENT_QUOTES);
                 }
         }
         return $aReq;
}

function Server_getRequest()
{
     $method = $_SERVER['REQUEST_METHOD'];

     switch ($method) {
     case 'GET':
         return array($method, Server_cleanRequest($_GET));
         break;
     case 'POST':
         return array($method, Server_cleanRequest($_POST));
         break;
     }

     return array($method, null);
}




Niels Berkers wrote:
> Norman Rasmussen wrote:
>> On 4/11/07, Jonathan Daugherty <cygnus at janrain.com> wrote:
>>> # why? templates are for output, not for processing...  AND as soon as
>>> # you get the data in your system you should clean it.
>>>
>>> Yes, that's true.  But you clean it so output is safe, and so that
> 
> nope i clean it so my server / databases with personal information from 
> users are save.
> 
>>> passing it through services (i.e., a database) is safe.  There's no
>>> point in cleaning the data until you use it in a dangerous context;
> 
> Yes there is. This is a , what we call in dutch a "drogreden", which 
> mains something like a false reason. This is like saying well im online, 
> but i don't use a firewall, virusscanner and adblockers, nor install 
> security updates/patches. Because hey if i don't handle the content 
> there is no problem. Really there is not one developer I work with that 
> would agree to that. And if they would give me that reason, i would have 
> a very serious chat with them. Incomming data must be checked in the web 
> form and at first arrival at the server. Neither we're in place in the 
> PHP-Server-1.1
> 
> My advice to you: make it very clear on the download location that this 
> software is unsave and a potential hazard to your server and database.
> 
>> Agreed!  You never know when someone might find a way to inject unsafe
>> data into your database.  It's much safer to escape it as you output
>> it.  (Also you might output it in different places, requiring
>> different escaping)
>>
> 
> Sorry ... can't believe im reading this. Any software security 
> specialist would disagree.
> 
> br,
> 
> Niels
> 
> _______________________________________________
> Dev mailing list
> Dev at lists.openidenabled.com
> http://lists.openidenabled.com/mailman/listinfo/dev

More information about the Dev mailing list