lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 22 Sep 2010 11:40:32 -0500 From: Marsh Ray <marsh@...endedsubset.com> To: Tyler Borland <tborland1@...il.com> Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk> Subject: Re: Freepbx On 09/22/2010 11:17 AM, Tyler Borland wrote: > Hello Marsh, > > I had found one of the previous holes. > http://seclists.org/fulldisclosure/2010/Jul/180 Yep. After having seen that, I figured that people actually would be interested in bugs in this codebase. So I posted here. > Don't forget to check out the includes for that file. > http://www.freepbx.org/trac/browser/freepbx/trunk/amp_conf/htdocs/admin/cdr/lib/defines.php?rev=10274 That 'getpost_ifset' is pure magic, isn't it? :-) Between that, the 'posted=1' hidden input, and the near absence of SQL escaping, I wonder if this code was really made with any security at all in mind. That's not necessarily wrong, I believe there's a time and a place for test code and code that assumes its running only on a trusted LAN (though the query string handling in this case would mean that no admin on the LAN could safely browse the web either). The vulnerability arises when that code makes it onto production systems. Unlike a lot of the deeper and more interesting classes of bugs, this is one of those things where just a little bit of a formal development process can go a long way towards prevention. - Marsh _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists