Hi Steffen,
* Steffen Joeris <[EMAIL PROTECTED]> [2008-08-09 11:21]:
> On Sat, 9 Aug 2008 01:09:49 pm Steffen Joeris wrote:
> > > > But if the maintainer fixes the #493372 they will also fix this bug
> > > > within the upstream patch, I think, and so it's not very important to
> > > > discuss it anymore, because it's just a XSS issue which isn't an very
> > > > hard bug :)
> > >
> > > I don't think this is the case. The patch in 493372 does
> > > only escape ingle quote ('), double quote ("), backslash (\)
> > > and NUL on registration, the XSS should be still possible.
> >
> > Now he added a check for an empty line as well. Updated patch is attached.
> > I am not sure what you can all insert in a query, can you think of
> > scenarios? For the XSS in this bug, he checks for JavaScript as described
> > here http://www.datensalat.eu/~fabian/cve/CVE-2008-3100-Owl.html
> For the XSS, upstream's patch didn't check for other tags, like html for
> example.
> After a short discussion, he changed it to use strip_tags(). I've tested it
> with html, php, script, and it seems to strip them away. Not sure, if it
> detects all though :/, but it is certainly better than just checking for
> script :)
[...]
> --- old/owl-dms-0.95/lib/owl.lib.php 2007-10-07 13:42:37.000000000 +0000
> +++ owl-dms-0.95/lib/owl.lib.php 2008-08-09 06:04:47.000000000 +0000
> @@ -70,6 +70,8 @@
> }
> }
>
> +$username = strip_tags($username);
> +Why not just doing it the standard way using htmlspecialchars(), that's what it's for. Or even use a sane solution and only allow usernames from a certain charset. I am not sure cause I am not websecurity expert bug the above way for example could have a problem with <SCR\0IPT> or multiline injected JavaScript with ASCII carriage return because php could possibly not detect this as a tag?! I am not sure about this but I think restricting the usernames to a charset and using htmlspecialchars() should be the best solution. Cheers Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
pgpUCnuK48S8t.pgp
Description: PGP signature

