[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4C9A3180.2090909@extendedsubset.com>
Date: Wed, 22 Sep 2010 11:40:32 -0500
From: Marsh Ray <marsh@...endedsubset.com>
To: Tyler Borland <tborland1@...il.com>
Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: Freepbx
On 09/22/2010 11:17 AM, Tyler Borland wrote:
> Hello Marsh,
>
> I had found one of the previous holes.
> http://seclists.org/fulldisclosure/2010/Jul/180
Yep. After having seen that, I figured that people actually would be
interested in bugs in this codebase. So I posted here.
> Don't forget to check out the includes for that file.
> http://www.freepbx.org/trac/browser/freepbx/trunk/amp_conf/htdocs/admin/cdr/lib/defines.php?rev=10274
That 'getpost_ifset' is pure magic, isn't it? :-)
Between that, the 'posted=1' hidden input, and the near absence of SQL
escaping, I wonder if this code was really made with any security at all
in mind. That's not necessarily wrong, I believe there's a time and a
place for test code and code that assumes its running only on a trusted
LAN (though the query string handling in this case would mean that no
admin on the LAN could safely browse the web either).
The vulnerability arises when that code makes it onto production
systems. Unlike a lot of the deeper and more interesting classes of
bugs, this is one of those things where just a little bit of a formal
development process can go a long way towards prevention.
- Marsh
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists