Remember a discussion about ->query method?
http://community.impresscms.org/modules/newbb/viewtopic.php?post_id=13353#forumpost13353
This was my proposal.
now this is the code that tries to execute this proposal
This is a test function, not related to iCMS, just wanted to try my method to detect SQL injections. This is the code:
Really, impressive Vaughan, THANKS
These documents are coming at a great time.
1/2 off-topic: There is a way to export those files to PDF documents to style world editor?.
Many thanks - this will certainly be useful.
Is this information possible to add to the new downloads site as well?
I've put together a few of the documents I've been reading over the last month or so.
they are documents that are useful in understanding and preventing SQL Injection & XSS.
thought i'd share them with you as they have helped me understand a lot more.
you can download them from my new site (still under construction)
http://www.g7poo.co.uk/modules/wfdownloads/viewcat.php?cid=3
Another place to look at for username/password security is banners.php - it has separate functions for clients and client logins that get stored in another table.
Thanks Giba, I'm glad the translation was ok :)
as for your concerns about cleaning output & input, If my concept works with the html purifier branch, then i'm pretty sure that will be a huge benefit to the security of icms.
At the moment i have ideas and thoughts in my head and i can see an end result of what I want to achieve, but i am having a hard time getting those thoughts out of my head and into written word so that I can give everyone a picture.
I will try to write a blog this weekend and get my thoughts on screen in a clear & understandable manner in order for translations to be more accurate so that you can understand better..
Very, very thanks Vaughan.
Even using the translator I could fully understand their words. I think you did a great job of writing this message.
I fully agree with you on all terms, especially when you tried to warn the origin of the problem of security.
On the question of 'sha256' native in php5, really, you are right too.
I am sure that your value to the team, if it continues impresscms is specializing in security will be of great value and their recognition will be immense for the whole community. We know that a person of this responsibility in charge of a sector very critical and we all know this.
Now remain very concerned about the issue when we already have something recorded in the database and exit via consultation could prove comprometedores data and also allows the server to expose new codes malíciosos with no currently fails.
The issue of protecting the output is quite preocupando me because we could not solve the problem and also because this code is constantly destroying our database.
Anyway, thank you for service to community and I know give value to an information of this nature. I am also studying a lot to not schedule wrong, but I agree that a tool of verification is important and vital.
i agree Giba, although myself and wishcraft got off to a bad start, we are both now amicable towards each other, we both over reacted, me so because when trying to help someone I was deemed a bad person simply because of who I am and my relationship to ICMS.
However I hope that this history can be cleared up.
As i have just proved, security issue aside. When people collaborate & help each other, everything moves more fluently aswell as calmly.
Security has to be a high priority. Up until yesterday I had never attempted or even knew how to properly inject SQL into a url. But since starting with ImpressCMS, I have done some reading, and it seems that my reading is paying off slowly.
You can't properly secure something unless you understand how SQL injection works and XSS, this is what I am currently learning in my own time. and yes I also agree it is far better when someone who hacks your site, tells you exactly how they did it, a demonstration shouldn't be needed, but it is more helpful to know why that exploit works, once you know the why's, it is far easier to protect from it. But saying that, it can be difficult to spot a vulnerability by looking at code, so essentially, we need tools to help aswell. a cracker/hacker is a great tool because it's a real person who you can talk with (providing they are willing to offer assistance).
and assistance I will also give to Wishcraft should he require any. afterall, it's the users who suffer most when these kinds of exploits get attention from the wrong people & ICMS, XOOPS, XC, Joomla etc are nothing without their users.
@giba: the new password algorhythm uses the PHP 5 native hash('sha256', $password); function.
but there's a fallback standalone script if php5 hash function is not detected, as will be the case for PHP 4 users. so both PHP4 & 5 users will not have any problems.
Total agreement with you!
sorry, off-topic:
my reply here:
http://www.xoops.org/modules/newbb/viewtopic.php?post_id=285183#forumpost285183
copy content here, if deleted.
Hi wishcraft, Vaughan, JAVesey and all xoopers.
The issue here is advise the developer on the problem and this is completely ignored.
It is a pity that in my paiz not have a person who honestly tell me about a security point where is the problem and proposing a solution.
This is independent of cms being used. But there is a real difference in this aboradagem, verification of entry and verification of removal.
In this case, the module allows the failure to inject the malicious code, that is a fact and is proven.
The developer corrects this problem very quickly. But this does not guarantee that will be safe. The reason is the output of data. The hacker has prevented at the time the module has failed to deploy another code to extract data and using a javascript common?
The answer to this is the way to check the output of data. At this point there is a differential in favour of xoopscube and xoops and impresscms are still vulnerable.
What I am talking here is based on our experience in suffering with this type of problem, because we already know of some practices used by crakers and idiots who insist on trying misrepresenting the house outside.
Zaphod - I'm sure any help of this nature would be appreciated!
Again - this is something else we can use the idea of the icsm_header for - both for QA test status, and also together with a version-like function for updating the users in case of discovered security issues.
Yet another reason for moving towards php5...
Citaat:
If I understand this correctly it really highlights the need to have a set of modules, on sourceforge, that have been tested and validated for amongst other things security vulnerabilities such as this.
How is the average user supposed to track all of this? This is important work that Vaughan has put forth and highlights the complexities of a project like this. How do we make it a little bit simpler for people using Impress?
About integrate new password algorhythm, is necessary, but...
http://www.php.net/manual/en/ref.mcrypt.php
This function now in version 5 is native and can be used on a large scale. Provê a method of using very strong and robust. In the past she had great depêndencias on the operating system, but I feel that in today it is already in better versions of php5.
In many security sites have heard very well for their use as a key that does not allow feedback and works with 128bits.
Now I have a real problem in complex and both suggested this function, as the use of this new approach proposed Vaughan I will not advance in anything.
Case Real
- The hacker invades the site and amending configs of xoops.
- This change is minimal, is only one escape "> within this.
- From now he knows where the door is and will use it combined with other things and will pass unnoticed.
Although the server may have a reasonable safety, "there is no 100% secure server," will be very difficult to find it. Even if today there is no flaw in the code of impresscms, the site will be invaded.
The reason is the lack of filtering the output. Most of the things is to not allow the entry of malicious code, but there are several things to be done during a search or query. It is not enough just to verify the data entry, we need to evaluate the output of data with urgency.
XoopsToal is offline and will be transferred to another server. Everything that is stored in the database must be verified. This data base has more than 220mb of information and is not an easy task.
Hi Vaughan, I also informed him about the problem, but in other modules.
Citaat:
Private Messages
Profile »» Inbox »» Download X-Soap Again
From
wishcraft
From: Sydney, Australia
Sent: 2008/2/12 11:05:14Download X-Soap Again
Dear gibaphp,
Get the latest version, that RC final for the moment... Just added some CRC features and so on..
Thanks
Simon
Good point Seth.
I think there is an opening for an internal security alert system in Impress Admin....
If I understand this correctly it really highlights the need to have a set of modules, on sourceforge, that have been tested and validated for amongst other things security vulnerabilities such as this.
How is the average user supposed to track all of this? This is important work that Vaughan has put forth and highlights the complexities of a project like this. How do we make it a little bit simpler for people using Impress?
Seth
Cool :)
not ignored here tho will :)
the branch is active and complete except for 1 minor issue, once that issue is resolved, the new password system is good to go. and will not be a problem either for existing users, as i've already taken those into consideration.. ;)