Hi Steffen, * Steffen Joeris <[EMAIL PROTECTED]> [2008-08-09 11:21]: > On Sat, 9 Aug 2008 01:09:49 pm Steffen Joeris wrote: > > > > But if the maintainer fixes the #493372 they will also fix this bug > > > > within the upstream patch, I think, and so it's not very important to > > > > discuss it anymore, because it's just a XSS issue which isn't an very > > > > hard bug :) > > > > > > I don't think this is the case. The patch in 493372 does > > > only escape ingle quote ('), double quote ("), backslash (\) > > > and NUL on registration, the XSS should be still possible. > > > > Now he added a check for an empty line as well. Updated patch is attached. > > I am not sure what you can all insert in a query, can you think of > > scenarios? For the XSS in this bug, he checks for JavaScript as described > > here http://www.datensalat.eu/~fabian/cve/CVE-2008-3100-Owl.html > For the XSS, upstream's patch didn't check for other tags, like html for > example. > After a short discussion, he changed it to use strip_tags(). I've tested it > with html, php, script, and it seems to strip them away. Not sure, if it > detects all though :/, but it is certainly better than just checking for > script :) [...] > --- old/owl-dms-0.95/lib/owl.lib.php 2007-10-07 13:42:37.000000000 +0000 > +++ owl-dms-0.95/lib/owl.lib.php 2008-08-09 06:04:47.000000000 +0000 > @@ -70,6 +70,8 @@ > } > } > > +$username = strip_tags($username); > +
Why not just doing it the standard way using htmlspecialchars(), that's what it's for. Or even use a sane solution and only allow usernames from a certain charset. I am not sure cause I am not websecurity expert bug the above way for example could have a problem with <SCR\0IPT> or multiline injected JavaScript with ASCII carriage return because php could possibly not detect this as a tag?! I am not sure about this but I think restricting the usernames to a charset and using htmlspecialchars() should be the best solution. Cheers Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgpUCnuK48S8t.pgp
Description: PGP signature