Subject: Re: k5n.us webmail -- multiple vuln From: Craig Knudsen Date: Tue, 29 Nov 2005 13:34:34 -0500 To: ascii thanks for the reply. I have most of the issues fixed in the REL_1_0_0 branch in CVS. I will release WebCalendar 1.0.2 as soon as a few people test it to make sure I didn't break anything :-) We've been talking about a template system for years now. Most people mention Smarty. Do you have any suggestions? I haven't really looked much into this. Also, there is a mailing list for WebCalendar-related announcements (like this security issue): http://lists.sourceforge.net/lists/listinfo/webcalendar-announce Craig ascii wrote: > Craig Knudsen wrote: > >> I have seen the details now. One question though... did you have >> magic_quotes_gpc enabled in your php.ini? If you have this turned on, wouldn't this prevent any SQL injection issues? > > > *any* is too big for me, i can say you only my feelings : ) > > heheh, i heard different opinions about magic_quotes_gpc and magic_quotes_runtime.. and yes, magic_quotes_gpc could be a sedative but > (imho) things should be fixed in the php code, while magic_quotes_gpc is a php_ini_perdir (if i'm not wrong) and the default value is 1 (on recent php releases) most hosters still disable (or not enable) this feature > > imho magic_quotes_gpc is futile and programmers have to start thinking > (i'm not speaking specifically about you, i love your init.php and the variable recicling, make the stuff plain and simple is the best way to get a quite secure system) > > generally speaking magic quotes saves a lot of hosts, but sql injections are the most emerging vuln in these years (so this is not so effective in the real life), but saves only proper sql queries, i give you some examples > > $id = $_GET['id']; > mysql_query("select * from table where id = '$id'"); > > in this case quotes will save you > > $id = $_GET['id']; > mysql_query("select * from table where id = $id"); > > in this case nobody can save you > > if ( ! empty ( $startid ) ) > $sql .= "AND webcal_entry_log.cal_log_id <= $startid "; > > this is your code (activity_log), while i'm not able to figure out > from where $startid can came (without globals, and if your script runs on a system with globals on i have seen a lot of exploitable lines), there is no protection _also_ with quotes on > > so why not assure us things go right? : ) > > $id = mysql_real_escape_string($_GET['id']); > $id = function_that_check_values('[0-9]', $id); > $id = (int)intval($id); > $id = ($id<0)?0:$id; > mysql_query("select * from table where id = '$id'"); > // note some of the code is redundant for an integer > > also i can assure you that you can do a lot of sql injections without > using ' or " (think about -- /* and comment-based attacks) > > then there are other treats: url/base encoding, charset attacks and > query encoding (think about functions like unpack and unescape, db > have useful but evil functions) > > these charset and url/base encoding attacks are the reason of the mysql_real_escape_string() existence against mysql_escape_string() > > then there are tomorrow attacks, and todays ones that i don't know > > also note that i have only downloaded the package and read some php (as i wrote in the advisory i have checked only for sql injections in the root files) so you should made up some proactive contest/audit (as like openbsd folks do) looking for xss and other bugs > > OT: i can't figure out from where a lot of vars comes : ) if you want i'm curios > > ok, i'm going to update the advisory with your response, but whats your response? : ) > > btw, a mitigation to give to the users could be surely an .htacces with > a beautiful magic_quotes_gpc on inside.. but these vulnerable vars should be validated as the init.php ones (if you really think quotes fix everything why do all that work on $id and $login etc?) > > i will update the page on my site with the contents you will provide (patch, links etc) > > regards, ascii (feel free to forward this to other developers for public discussion) > > ps: i'm sorry for the disclosure times but i was looking for a third advisory to post on fd/bt and your software was the second on this page > http://sourceforge.net/softwaremap/trove_list.php?form_cat=183 > > imho you need only a few things to make this project great (from my point of view that isn't the user one, interested only in fancy JS effects and dumb features) > > - divide html from php (aka: a template system, but i hope you will not choose smarty :P) > > - collapse files that make the same things (for security reasons, think about admin_handler.php with globals and a direct call with the right post) > > - secure sql queries and inputs with proper validation (your regexpr approach is also good but needs re-validation - aka paranoia mode - in the line before the query is executed) > > pps: look in your cvs history who made modifications to edit_template.php these seems to be so intentional > > references: > http://www.ush.it/2005/11/28/webcalendar-multiple-vulnerabilities/ > http://sourceforge.net/forum/forum.php?thread_id=1392901&forum_id=11588 > http://www.securityfocus.com/archive/1/417900/30/0/threaded > http://sourceforge.net/forum/forum.php?thread_id=1391877&forum_id=11588 > > okay, here in italy are about the 3.46 am so it's time to sleep : )