[pmwiki-users] Custom PageVariables from request strings: critical vulnerability
Petko Yotov
5ko at 5ko.fr
Sun Feb 28 03:28:10 CST 2016
No, htmlspecialchars() is not vulnerable per se, what is vulnerable is
that the string you store in a $FmtPV variable will be evaluated and run
by PmWiki as PHP code. So it is a bad idea to store in that variable
things that other people wrote on the wiki or in the web forms, or in
the URL address -- $FmtPV was never intended to be used this way.
Instead of {$PageVar} you can use in your forms {$$RequestVars} for
example in pagelists: these are not vulnerable, you don't need to do
anything. Or, for needs other than pagelists/searches, the recipe
"HttpVariables" provides access to request strings without evaliating
them.
Even if you sanitize the stings, a future PHP upgrade may include a new
way to compromize the site. So, don't evaluate random strings. :-)
Petko
On 2016-02-27 12:58, Oliver Betz wrote:
> Petko Yotov wrote 2015-12-19:
>>
>> This message concerns you if your wiki creates custom page variables
>> which get their values from request strings like the URL address of
>> the
>> page.
>>
>> The previously documented recommended way to sanitize such values can
>> allow PHP code injection in some cases.
>>
>> The following is very insecure:
>>
>> $FmtPV['$Var'] = $_REQUEST['Var']; # insecure
>> $FmtPV['$Var'] = '"'. addslashes($_REQUEST['Var']).'"'; # insecure
>
> is htmlspecialchars vulnerable?
More information about the pmwiki-users
mailing list