On Tue, Jul 19, 2005 at 07:54:31AM +0200, Martin Schulze wrote:
> Ok, I'll wait.

so, a 6 hour plane flight later, i've learned 3 things:

1 - there are a number of other variables that also need to be included.
2 - there are a number of calls where variables are indirectly passed
    to mysql_foo functions via other functions (which causes a problem
    for the current sanity checking method)
3 - there is another, ridiculously obvious security vulnerability in
    the woody version.


1 is easy to fix, we can just add on the extra variables to the file.
of the 900 or so calls to mysql_foo functions, i had about 170 left
to look at when my battery crapped out.

2 is trickier.  we could either repeat the process i'm about finished
with wrt mysql_foo for all the functions that pass variables to
mysql_foo, or we could do the sanity checking in the function.  as
the former sounds ugly and even more time consuming i'm going to
side with thte latter. 

what i think i'm going to do is split sanitize.php into sanitize and
sanitize-functions.  sanitize will include_once sanitize-functions,
so then sanitize can be included multiple times (otherwise i believe
that php will bitch about functions being redefined), and i'll just
slip in a line in each mysql-calling function to include sanitize,
and add the variables in said functions to sanitize.php.

as for 3, well... there's a variable, which is stored in a cookie.
the cookie name is cactilogin, and the value is an integer.  want to
guess what it does?  a fix for this shouldn't be too hard, this kind
of info should be stored in the session and not in the cookie.

anyway, i'll have a fair amount of free time tomorrow, but will need
a little sleep first :)


        sean

-- 

Attachment: signature.asc
Description: Digital signature

Reply via email to