16
Fanlistings Chit-Chat / CodeGrrl PHP scripts vulnerability
« on: November 16, 2005, 12:48:51 PM »
Yes that fix will work.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
extract($_GET, EXTR_SKIP);
extract($_POST, EXTR_SKIP);
I'm told that doesn't compromise security, but Johan can probably say whether or not it really does better than I can. ^^Do not use extract() on untrusted data, like user-input ($_GET, ...). If you do, for example, if you want to run old code that relies on register_globals temporarily, make sure you use one of the non-overwriting extract_type values such as EXTR_SKIP and be aware that you should extract in the same order that's defined in variables_order within the php.ini.
Basically what it's saying is when you use it on $_GET and $_POST, ALWAYS add the EXTR_SKIP flag to make sure the get and post data doesn't overwrite your existing variables. Of course not using "register_globals" is encouraged by the PHP folks, but this appears to be a decent fix.
// This is the page to show when the user has been logged out
$logout_page = "$siteurl";
Input passed to the "siteurl" parameter in "protection.php" isn't properly verified, before it is used to include files. This can be exploited to include arbitrary files from external and local resources.