lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4C9A3180.2090909@extendedsubset.com>
Date: Wed, 22 Sep 2010 11:40:32 -0500
From: Marsh Ray <marsh@...endedsubset.com>
To: Tyler Borland <tborland1@...il.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Freepbx

On 09/22/2010 11:17 AM, Tyler Borland wrote:
> Hello Marsh,
>
> I had found one of the previous holes.
> http://seclists.org/fulldisclosure/2010/Jul/180

Yep. After having seen that, I figured that people actually would be 
interested in bugs in this codebase. So I posted here.

> Don't forget to check out the includes for that file.
> http://www.freepbx.org/trac/browser/freepbx/trunk/amp_conf/htdocs/admin/cdr/lib/defines.php?rev=10274

That 'getpost_ifset' is pure magic, isn't it? :-)

Between that, the 'posted=1' hidden input, and the near absence of SQL 
escaping, I wonder if this code was really made with any security at all 
in mind. That's not necessarily wrong, I believe there's a time and a 
place for test code and code that assumes its running only on a trusted 
LAN (though the query string handling in this case would mean that no 
admin on the LAN could safely browse the web either).

The vulnerability arises when that code makes it onto production 
systems. Unlike a lot of the deeper and more interesting classes of 
bugs, this is one of those things where just a little bit of a formal 
development process can go a long way towards prevention.

- Marsh

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ