Difference between revisions of "Developer Area/Significant Bug Documentation"
From Mahara Wiki
< Developer Area
(Created page with "= Security bugs = Take care when trying to "fix" the oddities that remedies for these bugs have caused. [https://bugs.launchpad.net/mahara/+bug/1047111 #1047111] <tt> There is…") |
|||
| (2 intermediate revisions by the same user not shown) | |||
| Line 1: | Line 1: | ||
| − | = Security | + | = Security-related = |
Take care when trying to "fix" the oddities that remedies for these bugs have caused. | Take care when trying to "fix" the oddities that remedies for these bugs have caused. | ||
| − | [https://bugs.launchpad.net/mahara/+bug/1047111 #1047111] | + | == [https://bugs.launchpad.net/mahara/+bug/1047111 #1047111] XML External Entity parsing. == |
| − | + | There is a security issue with the default XML parser for PHP, where ENTITY fields areloaded and substituted in text parts. <br/><br/> | |
| − | There is a security issue with the default XML parser for PHP, where ENTITY fields | + | This allows possible attackers to read from internal networks, or files readable by the web server user.<br/><br/> |
| − | + | This includes reading of the config.php file, which contains sensitive information such as the database password, and the password salt field.<br/><br/> | |
| + | The fix for this was to include a call to libxml_disable_entity_loader(true) during the initialization of a page. This is based on a report from Mike Haworth<br/><br/> | ||
| + | The vulnerability was present in the admin area when uploading Leap2A users, and also in the user page area where a user could provide a RSS feed with specific XML ENTITY fields.<br/><br/> | ||
| + | More information can be found at the following: | ||
| + | http://projects.webappsec.org/w/page/13247003/XML%20External%20Entities | ||
| + | http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html<br/><br/> | ||
| + | This affects only php 5.2.11 and upwards, and likewise the fix must check for the libxml_disable_entity_loader function before doing it's thing. | ||
| − | |||
| − | |||
| − | + | == sanitise_url() == | |
| − | |||
| − | + | This function is in <tt>htdocs/lib/web.php</tt> and is intended for use in ensuring URLs are safe. | |
| − | |||
| − | + | It was first introduced to sanitise urls in rss feeds, but is now also used on other input such as logged-in/out menus. | |
| − | |||
| − | + | When altering this function, you ''must'' check the other places it is used to ensure it hasn't caused issues. | |
| − | |||
| − | |||
| − | |||
Latest revision as of 12:10, 19 September 2012
Take care when trying to "fix" the oddities that remedies for these bugs have caused.
#1047111 XML External Entity parsing.
There is a security issue with the default XML parser for PHP, where ENTITY fields areloaded and substituted in text parts.
This allows possible attackers to read from internal networks, or files readable by the web server user.
This includes reading of the config.php file, which contains sensitive information such as the database password, and the password salt field.
The fix for this was to include a call to libxml_disable_entity_loader(true) during the initialization of a page. This is based on a report from Mike Haworth
The vulnerability was present in the admin area when uploading Leap2A users, and also in the user page area where a user could provide a RSS feed with specific XML ENTITY fields.
More information can be found at the following: http://projects.webappsec.org/w/page/13247003/XML%20External%20Entities http://websec.io/2012/08/27/Preventing-XEE-in-PHP.html
This affects only php 5.2.11 and upwards, and likewise the fix must check for the libxml_disable_entity_loader function before doing it's thing.
sanitise_url()
This function is in htdocs/lib/web.php and is intended for use in ensuring URLs are safe.
It was first introduced to sanitise urls in rss feeds, but is now also used on other input such as logged-in/out menus.
When altering this function, you must check the other places it is used to ensure it hasn't caused issues.