bitweaver
Wiki
wiki Home
List Pages
wiki Books
Orphan Pages
wiki Rankings
Photos
List Galleries
Forums
Browse forums
Files
List Galleries
Categories
List Categories
Sign In
Message Boards
»
10. Development - Bugs
Newest
Oldest
Threaded
5
10
20
50
100
All
Messages
Bitweaver Multiple SQL Injection and Cross Site Scripting...
Post Reply
Filipino Filipiciu
Joined: 12 Oct 2005
Bitweaver Multiple SQL Injection and Cross Site Scripting...
Posted:20 Dec 2005 (09:58 UTC)
spiderr
Joined: 08 Feb 2004
Security Fix, new release coming....
Posted:20 Dec 2005 (20:38 UTC)
Post Reply
Page 1 of 1
1
Post
Title
Login
If you are already registered, please enter your login credentials.
Your Name
Anonymous Post
Content Format
Tiki Wiki Syntax
Allow HTML
{quote format_guid="bbcode" comment_id="8154" user="spider"}Thanks so much for the update filipok. We have fixed this in CVS, and a new release should occur in the next 24-48 hours. This is due to the legacy convert_sortmode function we never updated to make sql safe. The quick fix is to add: $pSortMode = preg_replace('/[^.A-Za-z_,]/', '', $pSortMode); as the first line of BitDb::convert_sortmode function in kernel/BitDb.php As a more general precaution, a new coding standard will be enforced to get tighter validation of Id checking. This will be use of the existing BitBase::verifyId function to validate anything that is supposed to be a numeric id. For example: [code:1:2d05de44fc]function loadTopic($iParamHash = NULL) { $whereSQL = ' WHERE at.'; $ret = NULL; if (!empty($iParamHash['topic_id']) || !empty($iParamHash['topic_name'])) {[/code:1:2d05de44fc] should change to: [code:1:2d05de44fc] if ( @$this->verifyId($iParamHash['topic_id']) || !empty($iParamHash['topic_name'])) {[/code:1:2d05de44fc] verifyId is a method in BitBase that should be accessible to all classes, and can even be called statically in the logic pages like: [code:1:2d05de44fc]if( @BitBase::verifyId( $_REQUEST['foo_id'] ) ) { blah... }[/code:1:2d05de44fc] If anyone has any more thoughts, or updates, please post.{/quote}
Recent Page Changes
welcome to bitweaver.org
Bitweaver Overview
ReleaseTwo Schema Changelog 2006
PressReleaseOne
Spider's Web
Press Release Two
BitcommercePackage
InfiniBand vs Ethernet Performance
InfiniBand for Dummies
Show More…