[pmwiki-announce] Custom PageVariables from request strings: critical vulnerability
Petko Yotov
5ko at 5ko.fr
Sat Dec 19 11:24:25 CST 2015
Hello,
This message concerns you if your wiki creates custom page variables
which get their values from request strings like the URL address of the
page.
The previously documented recommended way to sanitize such values can
allow PHP code injection in some cases.
The following is very insecure:
$FmtPV['$Var'] = $_REQUEST['Var']; # insecure
$FmtPV['$Var'] = '"'. addslashes($_REQUEST['Var']).'"'; # insecure
While the first way was known to be insecure, the second way was
recommended, but unfortunately a new vulnerability exploiting it was
reported to me 2 hours ago.
If your wiki uses such custom variables, it is highly recommended to
disable your custom $FmtPV definitions and to install the recipe
HttpVariables which does not allow the input strings to be evaluated by
the PHP engine:
http://www.pmwiki.org/wiki/Cookbook/HttpVariables
If you need any assistance you can contact me.
Petko
--
Change log : http://www.pmwiki.org/wiki/PmWiki/ChangeLog
Release notes : http://www.pmwiki.org/wiki/PmWiki/ReleaseNotes
If you upgrade : http://www.pmwiki.org/wiki/PmWiki/Upgrades
More information about the pmwiki-announce
mailing list