Le 18/10/2013 17:02, Doursenaud, Raphaël a écrit : > > 2013/10/17 Laurent Léonard <laur...@open-minds.org > <mailto:laur...@open-minds.org>> > > As specified at the end of the article you pointed, those > vulnerabilities are > fixed in Dolibarr 3.4.1: > > > It also says "However, their sanitization methods were not fixed, and > no mention was made on a future patch. Other SQLi vectors are > likely." in the introduction.
This is a wrong affirmation. There is two level of sanitazing. - first one is when receiving parameters. For this one, it is correct that sanitazing is not complete. But we don't want this first level to be complete and it is not possible (for example if user what to submit an example of sql script into a comment or a mailing list, he should be able). So it is true this level of protection is not complete, but it is not goal of this first level, protection is guaranted by second level, and report let think we tried to make things secured with first level. No, security is guaranted by the second level and only second level (because it is possible to do so compmletely only with second level). - second level is when forging sql request, html output or command line strings. It is the level that make things completely secured. For this case, there are functions that exists to make complete sanitazing: * for html output, function is dol_escape_htmltag * for javascript output, function is dol_escape_js * for sql forging, function is db->escape * from script, function is escape_shell May be at specific place of code, calling those functions were forgotten, but saying sanitizing function are not fixed is wrong since this function are not bugged (the report just was speaking about first level). There is no need to use parametrized queries. This will not change anything, we will still need to use escape function according to the way data is used (html, javascript, sql or command line string). So we must just be sure that we are using the sanitizing function when we should. > > We should think about converting the source code to use parametrized > queries. Maybe in a 4.0 branch ? > What's your opinion ? > -- > *Raphaël Doursenaud* > 05 35 53 97 13 - 06 68 48 20 10 > rdoursen...@gpcsolutions.fr <mailto:rdoursen...@gpcsolutions.fr> > > <http://gpcsolutions.fr> > http://gpcsolutions.fr > Technopole Hélioparc > 2 avenue du Président Pierre Angot > 64053 PAU CEDEX 9 > SARL GPC.solutions au capital de 7 500 EUR - R.C.S. PAU 528 995 921 > <https://www.google.com/a/partnersearch/#partner?partner_id=46687933_a0n60000000sqpWAAQ><http://wiki.dolibarr.org/index.php/Dolibarr_suppliers_France#GPC.solutions> > > > _______________________________________________ > Dolibarr-dev mailing list > Dolibarr-dev@nongnu.org > https://lists.nongnu.org/mailman/listinfo/dolibarr-dev -- Eldy (Laurent Destailleur). EMail: e...@destailleur.fr Web: http://www.destailleur.fr Dolibarr (Project leader): http://www.dolibarr.org To make a donation for Dolibarr project via Paypal: cont...@destailleur.fr AWStats (Author) : http://awstats.sourceforge.net To make a donation for AWStats project via Paypal: cont...@destailleur.fr AWBot (Author) : http://awbot.sourceforge.net CVSChangeLogBuilder (Author) : http://cvschangelogb.sourceforge.net
_______________________________________________ Dolibarr-dev mailing list Dolibarr-dev@nongnu.org https://lists.nongnu.org/mailman/listinfo/dolibarr-dev
