Using $_request is a no-no.<br><br>If lifetype absolutely needs it, one way to mitigate against this PHP headache would be to assign $_request = array_merge($_get,$_post). [<a href="http://us2.php.net/array_merge">http://us2.php.net/array_merge</a>]<br>
<br>If your using it to get $_cookie values, change that code to specifically look in that variable for it...<br><br>Then you won't suffer from the cookie overwrite situation.<br><br>-Matt<br><br>FYI. Take that bit of advice with the disclaimer that I usually consider pages whose POST variables are accepted in POST or GET variables, to be a vulnerability; since Cross Site Request Forgery is possible then.<br>
<br><div class="gmail_quote">On Wed, Jan 14, 2009 at 10:15 AM, Jon Daley <span dir="ltr"><<a href="mailto:plogworld@jon.limedaley.com">plogworld@jon.limedaley.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Yes, this is a critical error, as we use $_REQUEST all over the place, so various things can be injected via cookies into the get and post streams. Anyone have some time to see how other folks went about solving this? Maybe the easiest thing is to remove cookie information from the REQUEST parameter? Some of the places we use $_REQUEST can simply be changed to $_GET (like for the page parameter - that isn't ever used via POST or COOKIE, right?)<br>
We do a bunch of overwriting the superglobals in the root directory, and that code looks kind of hard to modify.<br>
<br>
See the below links for more information:<br>
<br>
<a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504771" target="_blank">http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=504771</a><br>
<a href="http://brian.moonspot.net/2008/01/17/responsible-use-of-the-_request-variable/" target="_blank">http://brian.moonspot.net/2008/01/17/responsible-use-of-the-_request-variable/</a><div><div></div><div class="Wj3C7c">
<br>
<br>
<br>
On Mon, 24 Nov 2008, Jon Daley wrote:<br>
<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Since every (I think?) blog software that is in debian just released a security advisory... I haven't looked into it very carefully yet - do we need to do something to fix LT as well? And perhaps we can borrow some code from these patches?<br>
<br>
---------- Forwarded message ----------<br>
Date: Mon, 24 Nov 2008 02:04:52 +0100<br>
From: <a href="mailto:secure-testing-team@lists.alioth.debian.org" target="_blank">secure-testing-team@lists.alioth.debian.org</a><br>
To: <a href="mailto:debian-testing-security-announce@lists.debian.org" target="_blank">debian-testing-security-announce@lists.debian.org</a><br>
Subject: Security update for Debian Testing - 2008-11-24<br>
Resent-Date: Mon, 24 Nov 2008 01:05:05 +0000 (UTC)<br>
Resent-From: <a href="mailto:debian-testing-security-announce@lists.debian.org" target="_blank">debian-testing-security-announce@lists.debian.org</a><br>
<br>
This automatic mail gives an overview over security issues that were recently<br>
fixed in Debian Testing. The majority of fixed packages migrate to testing<br>
from unstable. If this would take too long, fixed packages are uploaded to the<br>
testing-security repository instead. It can also happen that vulnerable<br>
packages are removed from Debian testing.<br>
<br>
Migrated from unstable:<br>
=======================<br>
enscript 1.6.4-13:<br>
CVE-2008-4306: <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4306" target="_blank">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4306</a><br>
<a href="http://bugs.debian.org/506261" target="_blank">http://bugs.debian.org/506261</a><br>
<br>
libxml2 2.6.32.dfsg-5:<br>
CVE-2008-4225: <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4225" target="_blank">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4225</a><br>
CVE-2008-4226: <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4226" target="_blank">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4226</a><br>
<br>
movabletype-opensource 4.2.1-3:<br>
CVE-2008-4634: <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4634" target="_blank">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4634</a><br>
<a href="http://bugs.debian.org/503114" target="_blank">http://bugs.debian.org/503114</a><br>
<br>
no-ip 2.1.7-11:<br>
<no CVE yet> : no-ip DUC remote code execution<br>
<a href="http://bugs.debian.org/506179" target="_blank">http://bugs.debian.org/506179</a><br>
<br>
typo3-src 4.2.3-1:<br>
<no CVE yet> : typo3: XSS vulnerability in Typo3 backendmodul "fileadmin"<br>
<a href="http://bugs.debian.org/505324" target="_blank">http://bugs.debian.org/505324</a><br>
<no CVE yet> : typo3: XSS vulnerability in Typo3 sysext "felogin"<br>
<a href="http://bugs.debian.org/505325" target="_blank">http://bugs.debian.org/505325</a><br>
<no CVE yet> : typo3: passwords are not changeable bug in the backend<br>
<a href="http://bugs.debian.org/505326" target="_blank">http://bugs.debian.org/505326</a><br>
<br>
wordpress 2.5.1-10:<br>
CVE-2008-5113: <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5113" target="_blank">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5113</a><br>
<a href="http://bugs.debian.org/504771" target="_blank">http://bugs.debian.org/504771</a><br>
<br>
<br>
<br>
How to update:<br>
--------------<br>
Make sure the line<br>
<br>
deb <a href="http://security.debian.org" target="_blank">http://security.debian.org</a> lenny/updates main contrib non-free<br>
<br>
is present in your /etc/apt/sources.list. Of course, you also need the line<br>
pointing to your normal lenny mirror. You can use<br>
<br>
aptitude update && aptitude dist-upgrade<br>
<br>
to install the updates.<br>
<br>
<br>
More information:<br>
-----------------<br>
More information about which security issues affect Debian can be found in the<br>
security tracker:<br>
<br>
<a href="http://security-tracker.debian.net/tracker/" target="_blank">http://security-tracker.debian.net/tracker/</a><br>
<br>
A list of all known unfixed security issues is at<br>
<br>
<a href="http://security-tracker.debian.net/tracker/status/release/testing" target="_blank">http://security-tracker.debian.net/tracker/status/release/testing</a><br>
<br>
<br>
<br>
</blockquote>
<br>
-- <br></div></div><font color="#888888">
Jon Daley<br>
<a href="http://jon.limedaley.com" target="_blank">http://jon.limedaley.com</a><br>
~~<br>
Quoting: the act of repeating erroneously the words of another.<br>
-- Ambrose Bierce</font><div><div></div><div class="Wj3C7c"><br>
_______________________________________________<br>
pLog-svn mailing list<br>
<a href="mailto:pLog-svn@devel.lifetype.net" target="_blank">pLog-svn@devel.lifetype.net</a><br>
<a href="http://limedaley.com/mailman/listinfo/plog-svn" target="_blank">http://limedaley.com/mailman/listinfo/plog-svn</a><br>
</div></div></blockquote></div><br>