Please login or register.

Login with username, password and session length
Advanced search  

Author Topic: Securing PHP scripts  (Read 4666 times)

gomisan

  • Full Member
  • ***
  • Karma: 0
  • Posts: 194
    • http://fish-cam.net/
Securing PHP scripts
« on: August 15, 2006, 03:31:37 am »

There is a very interewsting article here:

http://www.informit.com/articles/article.asp?p=603037&rl=1

which goes into some detail about finding and exploiting vunerabilities in websites. It occured to me that since I don't know as much as I should about securing PHP scripts, that soem of the more experienced coders here could re-assure me that sNews isn't vunerable to this sort of attack, or if it is, what we can do to secure it.
Logged
Check out my sNews powered Tropical Fishtank site, live Fish-Cam !!

Mika

  • Hero Member
  • *****
  • Karma: 9
  • Posts: 1377
    • http://www.ni5ni6.com/
Securing PHP scripts
« Reply #1 on: August 15, 2006, 08:14:42 am »

well, 1.3 had some security issues (i think they're fixed by now - go take a peek to the mods section). the latest 1.4 version is pretty much secure.
Logged
http://www.ni5ni6.com/ - Tutorials, Mods and How-To's about sNews CMS
sNews 1.6 Developers Edition - commented sNews 1.6 version

Keyrocks

  • Doug
  • ULTIMATE member
  • ******
  • Karma: 449
  • Posts: 6020
  • Semantically Challenged
    • snews.ca
Securing PHP scripts
« Reply #2 on: August 15, 2006, 04:48:31 pm »

Security Notes on sNews 1.4

There was one vulnerability "Test Report" by Ivan Markovic. Several Security Vulnerability info-sites (Adsense-maximizers) picked up on Ivan's report... all saying that there is no known fix for this. However, Ivan states in his latest report (July 25/06) at http://security-net.biz/adv/D25706a.txt, that the SOLUTION/FIX HAS BEEN APPLIED by adding function cleanXSS to snews.php.

The offending Security Report sites that still warn of this being un-fixed... all based on Ivan's original Report - are:

1. http://secunia.com/advisories/21189/

2. http://www.frsirt.com/english/advisories/2006/2968

3. http://securitydot.net/vuln/exploits/vulnerabilities/articles/18190/vuln.html

4. http://www.osvdb.org/27481

What happens is... all these sites (Adsense Maximizers) gather information and re-post it as they 'pretend' to be authorities on their subject to maximize visitor volume, yet they do not follow up on or check their information for accuracy. One site gets it from another... and so on... leading to... http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-3916 - which terms itself as "The standard for Information Security Vulnerability Names" and has sNews 1.4 "under review as a candidate for inclusion in the CVE List".

This "crap" (re-phrased - "inaccuracy") ends up giving people the idea that the vulnerability with sNews has not been fixed in version 1.4, and this may cause some potential users to shy away from trying it out in silence.

It might be a good idea for Luka - the "Authority" at sNews - to contact these (and perhaps other) sites that have inaccurate information, and request they update their reports to show that the fix has been applied.
Logged
Do it now... later may not come.
-------------------------------------------------------------------------------------------------
sNews 1.6 MESU | sNews 1.6 MEMU

Luka

  • Administrator
  • ULTIMATE member
  • ******
  • Karma: 36
  • Posts: 1717
    • http://www.snewscms.com
Securing PHP scripts
« Reply #3 on: August 15, 2006, 05:30:33 pm »

Here's the bug that was in sNews 1.4 but corrected:

In the function search(), search_query was cleaned with the function clean instead of clean and cleanXSS which left the possible XSS injection possible although a XSS injection protection routine was integrated.
Logged

Keyrocks

  • Doug
  • ULTIMATE member
  • ******
  • Karma: 449
  • Posts: 6020
  • Semantically Challenged
    • snews.ca
Securing PHP scripts
« Reply #4 on: August 15, 2006, 05:55:54 pm »

Function search() in my snews.php file... it appears the search_query is only cleaned with function clean and not cleanXSS.
Code: [Select]
$search_query = clean($_POST['search_query']);Does it need to be cleaned by both functions, or just by function cleanXSS?  Is it just a matter of changing the string above to read:
Code: [Select]
$search_query = cleanXSS($_POST['search_query']);When was the fix added to the sNews 1.4 download?
Logged
Do it now... later may not come.
-------------------------------------------------------------------------------------------------
sNews 1.6 MESU | sNews 1.6 MEMU

Luka

  • Administrator
  • ULTIMATE member
  • ******
  • Karma: 36
  • Posts: 1717
    • http://www.snewscms.com
Securing PHP scripts
« Reply #5 on: August 15, 2006, 06:00:07 pm »

Here's the correct line:

Code: [Select]
$search_query = cleanXSS(clean($_POST['search_query']));Bug was fixed in version 1.4.
Logged

Keyrocks

  • Doug
  • ULTIMATE member
  • ******
  • Karma: 449
  • Posts: 6020
  • Semantically Challenged
    • snews.ca
Securing PHP scripts
« Reply #6 on: August 15, 2006, 06:21:15 pm »

Quote from: Luka
Bug was fixed in version 1.4.
Thanks Luka - I am using V1.4, downloaded in late April/06. Was the change added to the sNews 1.4 download AFTER April/06?

I made the change in 38 locations (hehe) 18 installations and my master on 2 drives (primary & safe-storage) on my office machine, and will update my online installations.
Logged
Do it now... later may not come.
-------------------------------------------------------------------------------------------------
sNews 1.6 MESU | sNews 1.6 MEMU

mattd

  • Full Member
  • ***
  • Karma: 0
  • Posts: 121
Securing PHP scripts
« Reply #7 on: August 15, 2006, 11:53:54 pm »

Bug was in my 1.4 download too. :o

Fixed now.
Logged