It's sad to see that the author have not responded to my PMs about this or posted in here.Pond Life wrote:With the help of ZB Block and it's author, a potential security risk with this mod has been found.
The discovery was made when someone tried to cancel a friend request and it triggered ZB Block, the query string responsible was:First I asked on the ZB Block forum, if this was simply a compatibility issue then a custom signature might help. The reply I got said that I should contact the mod author and tell him that he needs to get rid of the brackets [ ].Code: Select all
i=socialnet&mode=module_approval_friends&module=friends&cancel=1&cancel_request[]= <rest removed because it contains user id and is not relevant to this issue>
This was the first time I had installed a mod that was still in development but now I have seen for myself why it's not a good idea I will not be doing that again. The mod has now been removed from my site.Zaphod wrote:In PHP variables, brackets are for array definition. If he is passing raw arrays through the URL, he's asking for a major exploit. What should be passed in URLs, is commands only. If reserved characters are needed, then they should always be escaped! Please see http://en.wikipedia.org/wiki/Percent-encoding for more information. In this case however, the escaping would not be acceptable, as the variable form, cuts WAY TOO CLOSE to the danger bone, as it contains verbatim the name of a global variable.