How do I fix this vulnerability?

Discussion in 'PHP' started by nfzgrld, May 6, 2006.

0
  1. #1
    I've recently become aware of a vulnerability on my blog script where someone can send a get request and supposedly break into the admin section. The thing uses cookie based authentication. Apparently I'm "not filtering user supplied data" properly. How do I do that? How do I block the malicious requests without blocking the legitimage ones?
     
    nfzgrld, May 6, 2006 IP
  2. tanfwc

    tanfwc Peon

    Messages:
    579
    Likes Received:
    11
    Best Answers:
    0
    Trophy Points:
    0
    #2
    Maybe you like to let us know your blog script...
     
    tanfwc, May 6, 2006 IP
  3. nfzgrld

    nfzgrld Peon

    Messages:
    524
    Likes Received:
    6
    Best Answers:
    0
    Trophy Points:
    0
    #3
    It's the one in my sig.
     
    nfzgrld, May 6, 2006 IP
  4. ideas_man

    ideas_man Active Member

    Messages:
    212
    Likes Received:
    12
    Best Answers:
    0
    Trophy Points:
    58
    #4
    Sounds like some form of data injection.If your script uses variables passed in the URL string (or POSTed form variables for that matter), then you should take steps to ensure the data you receive is valid.

    If you are simply working directly on the variables as they are passed, this means anything could be entered into your script as it executes.

    Look into some of the functions that escape special characters at php.net
     
    ideas_man, May 6, 2006 IP
  5. nfzgrld

    nfzgrld Peon

    Messages:
    524
    Likes Received:
    6
    Best Answers:
    0
    Trophy Points:
    0
    #5
    Data is validated when it is recieved. The problem seems to be the manner in which I'm doing it. I get the data, username and password, then validate it against the database. The password is encrypted using a sha1 hash. Once validated a cookie is set to indicate that the user is properly logged in. Apparently someone could spoof the cookie and gain access. I'm not sure how to counter that.
     
    nfzgrld, May 8, 2006 IP
  6. tech86

    tech86 Peon

    Messages:
    83
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    0
    #6
    Your website is down for me for some reason?

    If you can pm me a working live version of your script, I'll give you a quick free audit and a list of vulnerabilities in the script.
     
    tech86, May 8, 2006 IP
  7. tech86

    tech86 Peon

    Messages:
    83
    Likes Received:
    4
    Best Answers:
    0
    Trophy Points:
    0
    #7
    there are actually quite a lot of vulnerabilities..

    for eg..

    [blogurl.com]/index.php?index=......
     
    tech86, May 8, 2006 IP
  8. Selkirk

    Selkirk Peon

    Messages:
    93
    Likes Received:
    5
    Best Answers:
    0
    Trophy Points:
    0
    #8
    Selkirk, May 8, 2006 IP
  9. nfzgrld

    nfzgrld Peon

    Messages:
    524
    Likes Received:
    6
    Best Answers:
    0
    Trophy Points:
    0
    #9
    Thanks, but there doesn't seem to be a way to make attachements to a PM. Here's a link right to the thing, hope it works for you:

    http://www.archangelmgt.com/Archangel_Weblog_v090_02.zip

    By the way, there's a working demo of the thing online here: http://www.archangelmgt.com/weblog/. It's a raw install just as it comes out of the "box" so you can take a look at it that way if you want.

    Thanks again,

    Nick
     
    nfzgrld, May 11, 2006 IP
  10. MrSupplier

    MrSupplier Peon

    Messages:
    141
    Likes Received:
    3
    Best Answers:
    0
    Trophy Points:
    0
    #10
    Sorry, too busy to check php code, but let me guess is register_globals on ?
    That's the main source of problems.

    You can allow only sertain ip-s access for admin scripts
    Also check Apache's mod_security, can be useful
     
    MrSupplier, May 11, 2006 IP