http:///gbookmx.sourceforge.net
Me han contactado con el siguiente email:
Cita:
Okay, thanks for giving credits, but I think it is easier if I explain it to
you, and then you can fix it and also avoid it in the future :)
Here is the explanation:
In short, variables from HTTP requests are not safe.
Ex: $name = _GET[x] or $pass = _POST[x]
Because the variables come from the "user" (their browser). Even if it is a
POST request, there are many tools that allow usrs to customize a POST
requst.
So, if this kind of variable is used to construct HTML code or SQL code,
then they must be "filtered" or "sanitized" first, usually using
htmlspecialchars() or htmlentities().
So, if somewhere in your code, you have: echo "Hello, " $name
Then the code is insecure because an "untrusted" or "tainted" variable is
used directly to construct HTML. This code then is vulnerable to cross-site
scripting.
The same, if somewhere in your code, you have: mysql("Select ....... where
name = " .$name), then it is worse, because name can contain a malicious
pattern that will allow the attacker to execute ANY sql commands--that's one
of the main reasons that credit-card numbers get stolen. This is called SQL
injection.
So, the fix is easy, before using it, do htmlspecialchars($name). But to
prevent SQL injection, you need to write your own filter, and filter out
special SQL characters such as ' ; " and so on.
The best source of information would be the OWASP project, at:
http://www.owasp.org. Look under the "Quick Link" section in the lower-left
corner for "OWASP Guide" and "Top Ten." Then concentrate on the "SQL
injection" and "cross-site scripting" sections. Basically, before using HTTP
variables, we have to sanitize them. It is easy to do; perhaps just use the
httpspecialchars() function. Good luck!
The vulnerabilities reported to you were found using our VeriPHP-a security
verifier for PHP code. We're currently using it to conduct experiments and
to verify open source code that we use. We're evaluating whether it is
worthwhile to prepare and release the tool for public use (for free)...would
you be interested in using such a tool, if made available? Thanks!
you, and then you can fix it and also avoid it in the future :)
Here is the explanation:
In short, variables from HTTP requests are not safe.
Ex: $name = _GET[x] or $pass = _POST[x]
Because the variables come from the "user" (their browser). Even if it is a
POST request, there are many tools that allow usrs to customize a POST
requst.
So, if this kind of variable is used to construct HTML code or SQL code,
then they must be "filtered" or "sanitized" first, usually using
htmlspecialchars() or htmlentities().
So, if somewhere in your code, you have: echo "Hello, " $name
Then the code is insecure because an "untrusted" or "tainted" variable is
used directly to construct HTML. This code then is vulnerable to cross-site
scripting.
The same, if somewhere in your code, you have: mysql("Select ....... where
name = " .$name), then it is worse, because name can contain a malicious
pattern that will allow the attacker to execute ANY sql commands--that's one
of the main reasons that credit-card numbers get stolen. This is called SQL
injection.
So, the fix is easy, before using it, do htmlspecialchars($name). But to
prevent SQL injection, you need to write your own filter, and filter out
special SQL characters such as ' ; " and so on.
The best source of information would be the OWASP project, at:
http://www.owasp.org. Look under the "Quick Link" section in the lower-left
corner for "OWASP Guide" and "Top Ten." Then concentrate on the "SQL
injection" and "cross-site scripting" sections. Basically, before using HTTP
variables, we have to sanitize them. It is easy to do; perhaps just use the
httpspecialchars() function. Good luck!
The vulnerabilities reported to you were found using our VeriPHP-a security
verifier for PHP code. We're currently using it to conduct experiments and
to verify open source code that we use. We're evaluating whether it is
worthwhile to prepare and release the tool for public use (for free)...would
you be interested in using such a tool, if made available? Thanks!
Creo que se mas o menos por donde va la cosa, el archivo "maligno" en cuestion es el preview.php, y bueno quiero estar seguro de que lo entendi, consultando a alguno de ustedes que tenga tiempo de revisarlo.
Les anexo el primer email que me llego:
Cita:
De anetemano gracias por sus tiempo, slaudos! Dear Victor,
We have found that the following lines of code from GBook MX are
vulnerable to script injection. We have listed them below. If you'd like
more detailed information, please feel welcome to e-mail me. More
importantly, if you intend to patch this vulnerability in the future, please
also reply and let me know. Thanks a lot!
Best regards,
Yao-Wen (Wayne) Huang
Research assistant, Institute of Information Science, Academia Sinica,
Taiwan
Ph.D. candidate, Department of Electrical Engineering, National Taiwan
University
file:
Gbook_mx4.1.0\gbookmx\preview.php
variable:
genero
lines:
line22: $genero = $_POST[genero];
line 71: echo "<img src=\"images/$genero.gif\" align=\"absmiddle\">\n";
explanation:
As genero comes from the HTTP request, and is directly used to form HTML
output, it should be sanitized.
>From the code, it seems that most variables used this way are sanitized
using httpspecialchars(). Maybe this one was forgotten.
The same for variable: bandera (line 78), msn (line 99), icq (line 105), aim
line (108).
We have found that the following lines of code from GBook MX are
vulnerable to script injection. We have listed them below. If you'd like
more detailed information, please feel welcome to e-mail me. More
importantly, if you intend to patch this vulnerability in the future, please
also reply and let me know. Thanks a lot!
Best regards,
Yao-Wen (Wayne) Huang
Research assistant, Institute of Information Science, Academia Sinica,
Taiwan
Ph.D. candidate, Department of Electrical Engineering, National Taiwan
University
file:
Gbook_mx4.1.0\gbookmx\preview.php
variable:
genero
lines:
line22: $genero = $_POST[genero];
line 71: echo "<img src=\"images/$genero.gif\" align=\"absmiddle\">\n";
explanation:
As genero comes from the HTTP request, and is directly used to form HTML
output, it should be sanitized.
>From the code, it seems that most variables used this way are sanitized
using httpspecialchars(). Maybe this one was forgotten.
The same for variable: bandera (line 78), msn (line 99), icq (line 105), aim
line (108).