Ask Question Forum:
Model Library:2025-02-08 Updated:A.I. model is online for auto reply question page
C
O
M
P
U
T
E
R
2
8
Show
#
ASK
RECENT
←
- Underline
- Bold
- Italic
- Indent
- Step
- Bullet
- Quote
- Cut
- Copy
- Paste
- Table
- Spelling
- Find & Replace
- Undo
- Redo
- Link
- Attach
- Clear
- Code
Below area will not be traslated by Google,you can input code or other languages
Hint:If find spelling error, You need to correct it,1 by 1 or ignore it (code area won't be checked).
X-position of the mouse cursor
Y-position of the mouse cursor
Y-position of the mouse cursor
Testcursor
caretPos
Attachment:===
Asked by rvcw
at 2024-11-02 20:14:08
ModifyPoint:500 Replies:9 POST_ID:828773USER_ID:11678
Topic:
PHP Scripting Language;;
Hi,
There is an application I use, and an exploit for it was announced recently. The say they can:
I'm working on a web application myself and security is something I'm very concerned and careful about.
Can anyone enlighten me and tell me how exactly that exploit works and what can be implemented into that code that will prevent the mentioned exploit.
There is an application I use, and an exploit for it was announced recently. The say they can:
The vulnerable code is located in /includes/classes/class.admin.php
The function sortableTableInit() passes S_COOKIE data to unserialize function without sanitizing it.
Code on Line 711
$sortdata = (isset( $_COOKIE["sortdata"] ) ? $_COOKIE["sortdata"] : "");
$sortdata = unserialize( base64_decode( $sortdata ) );
User input passed through the Cookies is not properly sanitized before being used in
an unserialize() call at line 711. This can be exploited to inject arbitrary PHP objects into the
application scope.
The function sortableTableInit() passes S_COOKIE data to unserialize function without sanitizing it.
Code on Line 711
$sortdata = (isset( $_COOKIE["sortdata"] ) ? $_COOKIE["sortdata"] : "");
$sortdata = unserialize( base64_decode( $sortdata ) );
User input passed through the Cookies is not properly sanitized before being used in
an unserialize() call at line 711. This can be exploited to inject arbitrary PHP objects into the
application scope.
I'm working on a web application myself and security is something I'm very concerned and careful about.
Can anyone enlighten me and tell me how exactly that exploit works and what can be implemented into that code that will prevent the mentioned exploit.
Author: rvcw replied at 2024-11-03 09:47:22
Thanks guys, that's the info I was looking for. Much appreciated.
Accepted Solution
Expert: Ray Paseur replied at 2024-11-03 09:09:35
400 points EXCELLENT
HTTP Cookies are like any other external data. By definition, external data is tainted and should be considered an attack vector.
PHP has filtering functions. This might be useful.
http://php.net/manual/en/book.filter.php
Personally, I use a technique like this and discard the cookie if it does not decode correctly.
PHP has filtering functions. This might be useful.
http://php.net/manual/en/book.filter.php
Personally, I use a technique like this and discard the cookie if it does not decode correctly.
<?php // RAY_cookie_safety.phperror_reporting(E_ALL);// DEMONSTRATE HOW TO ENCODE INFORMATION IN A COOKIE// TO REDUCE THE RISK OF COOKIE TAMPERING// A DATA DELIMITER$dlm = '|';// YOUR OWN SECRET CODE$secret_code = 'MY SECRET';// A DATA STRING THAT WE WANT TO STORE (MIGHT BE A DB KEY)$cookie_value = 'MARY HAD A LITTLE LAMB';// ENCODE THE DATA STRING TOGETHER WITH OUR SECRET$cookie_code = md5($cookie_value . $secret_code);// CONSTRUCT THE COOKIE STRING WITH THE CLEAR TEXT AND THE CODED STRING$safe_cookie_value = $cookie_value . $dlm . $cookie_code;// SET THE COOKIE LIKE "MARY HAD A LITTLE LAMB|cf783c37f18d007d23483b11759ec181"setcookie('safe_cookie', $safe_cookie_value);// WHEN STORED, THE COOKIE WILL BE URL-ENCODED SO IT WILL LOOK SOMETHING LIKE THIS ON THE BROWSER// MARY+HAD+A+LITTLE+LAMB%7Ccf783c37f18d007d23483b11759ec181// IT WILL BE URL-DECODED BEFORE IT IS PRESENTED TO PHP// HOW TO TEST THE COOKIEif (isset($_COOKIE["safe_cookie"])){ // BREAK THE COOKIE VALUE APART AT THE DELIMITER $array = explode($dlm, $_COOKIE["safe_cookie"]); // ENCODE THE DATA STRING TOGETHER WITH YOUR SECRET $cookie_test = md5($array[0] . $secret_code); // IF THE MD5 CODES DO NOT MATCH, THE COOKIE IS NO LONGER INTACT if ($cookie_test == $array[1]) { echo "<br/>THE COOKIE {$_COOKIE["safe_cookie"]} IS INTACT"; } else { echo "<br/>THE COOKIE {$_COOKIE["safe_cookie"]} IS CORRUPT"; }}else{ die('COOKIE IS SET - REFRESH THE BROWSER WINDOW NOW');}// MUNG THE COOKIE TO DEMONSTRATE WHAT HAPPENS WITH A CORRUPT COOKIE$_COOKIE["safe_cookie"] = str_replace('MARY', 'FRED', $_COOKIE["safe_cookie"]);// HOW TO TEST THE COOKIEif (isset($_COOKIE["safe_cookie"])){ // BREAK THE COOKIE VALUE APART AT THE DELIMITER $array = explode($dlm, $_COOKIE["safe_cookie"]); // ENCODE THE DATA STRING TOGETHER WITH OUT SECRET $cookie_test = md5($array[0] . $secret_code); // IF THE MD5 CODES DO NOT MATCH, THE COOKIE IS NO LONGER INTACT if ($cookie_test == $array[1]) { echo "<br/>THE COOKIE {$_COOKIE["safe_cookie"]} IS INTACT"; } else { echo"<br/>THE COOKIE {$_COOKIE["safe_cookie"]} IS CORRUPT"; }} 1:2:3:4:5:6:7:8:9:10:11:12:13:14:15:16:17:18:19:20:21:22:23:24:25:26:27:28:29:30:31:32:33:34:35:36:37:38:39:40:41:42:43:44:45:46:47:48:49:50:51:52:53:54:55:56:57:58:59:60:61:62:63:64:65:66:67:68:69:70:71:72:73:74:75:76:77:78:79:80:81:82:83:
Best regards, ~Ray
Assisted Solution
Expert: bportlock replied at 2024-11-03 08:47:45
100 points EXCELLENT
The same sanitisation rules apply to cookies as to any other form of data from an external source. Partly it depends what you want to do with the data.
For instance, if the data should contain no HTML then running it through strip_tags is a good idea. If it is allowed HTML, but only a subset is allowed the strip_tags with the allowable_tags parameter could be used.
If full HTML is allowed then using mysql_real_escape_string or htmlentities could be used to clean the data to stop quote injection affecting the database. As you can see the problem here is that the use of the data can affect the sanitisation method.
Personally, I would encrypt the cookie data using blowfish via the PHP mcrypt algorithm and store the encrypted data in the cookie. That would prevent tampering with the data and allow it to be trusted.
http://www.php.net/strip_tags
http://www.php.net/mysql_real_escape_string
http://www.php.net/htmlentities
For instance, if the data should contain no HTML then running it through strip_tags is a good idea. If it is allowed HTML, but only a subset is allowed the strip_tags with the allowable_tags parameter could be used.
If full HTML is allowed then using mysql_real_escape_string or htmlentities could be used to clean the data to stop quote injection affecting the database. As you can see the problem here is that the use of the data can affect the sanitisation method.
Personally, I would encrypt the cookie data using blowfish via the PHP mcrypt algorithm and store the encrypted data in the cookie. That would prevent tampering with the data and allow it to be trusted.
http://www.php.net/strip_tags
http://www.php.net/mysql_real_escape_string
http://www.php.net/htmlentities
Author: rvcw replied at 2024-11-03 08:30:32
Hi Ray,
I personally do not use the software. I just wanted to know how the exploit is working (which I think above you described).
And also, what can be done to protect against it.
For example, the person that posted the exploit said it wasn't sanitised. I want to know what sanitisation can be done. Not necessarily a cookie resistant to tampering, but as it stands what can be done to sanitise the cookie data.
For example, with MySQL, you would use prepared statements as a way of sanitising user input for mysql queries to prevent sql injection.
For XSS, you would strip out certain html entities etc.
For this, what would you need to do to sanitise the cookie data to prevent the "php code injection".
I personally do not use the software. I just wanted to know how the exploit is working (which I think above you described).
And also, what can be done to protect against it.
For example, the person that posted the exploit said it wasn't sanitised. I want to know what sanitisation can be done. Not necessarily a cookie resistant to tampering, but as it stands what can be done to sanitise the cookie data.
For example, with MySQL, you would use prepared statements as a way of sanitising user input for mysql queries to prevent sql injection.
For XSS, you would strip out certain html entities etc.
For this, what would you need to do to sanitise the cookie data to prevent the "php code injection".
Expert: Ray Paseur replied at 2024-11-03 08:19:09
Are you using WHMCS or not? Are you looking for a technique that will give you a cookie that is resistant to tampering? Please clarify, thanks. ~Ray
Author: rvcw replied at 2024-11-03 08:16:31
I don't think I was very clear, allow me to clarify on what my question is.
@bportlock - my concern is not a patch for the application. I'm already well aware of its developments. I am not looking for a patch, I'm not looking for news regarding the exploit - I'm not concerned about the exploit whatsoever. I'm afraid your answer is irrelevant to my question.
@ray & duncan, many thanks for your helpful comments.
My question is what can be done to sanitise the cookie data.
To re-iterate, because I'm developing my own web application, I want to be aware of any security implications. With this exploit, I don't understand what can be done to sanitise the input to prevent PHP code injection as per the exploit announcement.
@bportlock - my concern is not a patch for the application. I'm already well aware of its developments. I am not looking for a patch, I'm not looking for news regarding the exploit - I'm not concerned about the exploit whatsoever. I'm afraid your answer is irrelevant to my question.
@ray & duncan, many thanks for your helpful comments.
My question is what can be done to sanitise the cookie data.
To re-iterate, because I'm developing my own web application, I want to be aware of any security implications. With this exploit, I don't understand what can be done to sanitise the input to prevent PHP code injection as per the exploit announcement.
Expert: bportlock replied at 2024-11-03 06:57:29
There is a patch on the way so maybe your best policy is to chase them up and find out when the patch will be released.
http://security-geeks.blogspot.co.uk/2013/11/whmcs-5112-php-object-injectoin.html
http://blog.whmcs.com/?t=80206
Security Status Update
As you may be aware, a security issue has been published which affects all known versions of WHMCS.
We are currently aware of the issue and are working on a software update to prevent this attack vector from being successful.
We will be publishing software updates for the versions in Active Development and LTS per our Long Term Support Policy:
http://docs.whmcs.com/Long_Term_Support
Please keep watch on our blog, facebook and twitter to receive the latest updates.
Posted by Matt on Friday, October 18th, 2013
http://security-geeks.blogspot.co.uk/2013/11/whmcs-5112-php-object-injectoin.html
http://blog.whmcs.com/?t=80206
Security Status Update
As you may be aware, a security issue has been published which affects all known versions of WHMCS.
We are currently aware of the issue and are working on a software update to prevent this attack vector from being successful.
We will be publishing software updates for the versions in Active Development and LTS per our Long Term Support Policy:
http://docs.whmcs.com/Long_Term_Support
Please keep watch on our blog, facebook and twitter to receive the latest updates.
Posted by Matt on Friday, October 18th, 2013
Expert: Ray Paseur replied at 2024-11-03 06:06:33
What application are you talking about. There is nothing inherently wrong in the code posted here; the only issue would be the use of the $sortdata variable after this process.
See the explanations here:
http://php.net/manual/en/function.base64-decode.php
http://php.net/manual/en/function.unserialize.php
See the explanations here:
http://php.net/manual/en/function.base64-decode.php
http://php.net/manual/en/function.unserialize.php
Expert: duncanb7 replied at 2024-11-03 01:18:29
$sortdata = (isset( $_COOKIE["sortdata"] ) ? $_COOKIE["sortdata"] : "");
$sortdata = unserialize( base64_decode( $sortdata ) );
$sortdata = unserialize( base64_decode( $sortdata ) );
Probably $_COOKE["sortdata'"] is not set yet, and $sortdata="" so that you got the message
Could you check or echo it before executing unserialize ?
