Never trust user input

Toggle sidebar Toggle sidebar
Newbian

Newbian

Lifer
Aug 24, 2008
24,779
882
126
What about output?

I won't flush and let you check it out if that's ok with you.
 
T

TruePaige

Diamond Member
Oct 22, 2006
9,874
2
0
Hmm..is this about XSS injections? I'll have to look closer.

If so it is easy to patch up if it is just the one hole.
 
T

txrandom

Diamond Member
Aug 15, 2004
3,773
0
71
Originally posted by: TruePaige
Hmm..is this about XSS injections? I'll have to look closer.

If so it is easy to patch up if it is just the one hole.
Click to expand...

It could be.
 
Red Squirrel

Red Squirrel

No Lifer
May 24, 2003
71,329
14,089
126
www.anyf.ca
I had a teacher in my php class that did not bother teaching validation. When coding a login system he said just storing the userid in a cookie is good enough "because you had to authenticate to get that cookie anyway". cookies are user input too, people just don't really see it that way.

Drop down menues, check boxes, are all user input too, even though they are "restricted". I use restricted very loosely here and the avatar selection drop down in the profile page here is a great example of why. ;)

Actually when it comes to potential SQL or html injections I find the easiest way is to simply turn < > ' " ` into the &nnn counter part. (I have a feeling this post wont submit very well :p)
 
IEC

IEC

Elite Member
Super Moderator
Jun 10, 2004
14,608
6,094
136
I posted a PSA in the Programming forum reminding people to sanitize their inputs...
 
C

Chronoshock

Diamond Member
Jul 6, 2004
4,860
1
81
There's a thread in TFI to followup on the incident. My guess is that there are many more attack vectors through input manipulation.
 
IEC

IEC

Elite Member
Super Moderator
Jun 10, 2004
14,608
6,094
136
Originally posted by: paulney
Originally posted by: Spartan Niner
I posted a PSA in the Programming forum reminding people to sanitize their inputs...
Click to expand...

The clock is ticking.
Click to expand...

I am aware, so I will comply 23 hours and 59 minutes from T-start.

Mods, please forgive me for loving my alma mater. ;)
 
Newbian

Newbian

Lifer
Aug 24, 2008
24,779
882
126
Originally posted by: Spartan Niner
Originally posted by: paulney
Originally posted by: Spartan Niner
I posted a PSA in the Programming forum reminding people to sanitize their inputs...
Click to expand...

The clock is ticking.
Click to expand...

I am aware, so I will comply 23 hours and 59 minutes from T-start.

Mods, please forgive me for loving my alma mater. ;)
Click to expand...

I do notice that the page is continual loading with some of these custom avatars. :(
 
T

TruePaige

Diamond Member
Oct 22, 2006
9,874
2
0
Custom avatars are funny, eh..wonder if it had anything to do with starting this thread...
 
Red Squirrel

Red Squirrel

No Lifer
May 24, 2003
71,329
14,089
126
www.anyf.ca
Actually I wonder what sparked this to begin with. That exploit has been there forever. What's funny is I had a feeling once but never bothered to try. I had seen someone with a blank avatar and found it was weird so I checked the source to see it was really lack of image then checked the code for the profile and saw image names. Funny stuff.

I hope fusetalk is at least free software... I would hate to be a sucker paying for something with such simple easy to avoid flaws.

 
IEC

IEC

Elite Member
Super Moderator
Jun 10, 2004
14,608
6,094
136
Originally posted by: RedSquirrel
Actually I wonder what sparked this to begin with. That exploit has been there forever. What's funny is I had a feeling once but never bothered to try. I had seen someone with a blank avatar and found it was weird so I checked the source to see it was really lack of image then checked the code for the profile and saw image names. Funny stuff.

I hope fusetalk is at least free software... I would hate to be a sucker paying for something with such simple easy to avoid flaws.
Click to expand...

I'm afraid it's not...


FuseTalk Basic Edition (CF) ******* $1,298.00
FuseTalk Standard Edition (CF) **** $4,298.00
FuseTalk Enterprise Edition (CF) *** $6,898.00
FuseTalk Basic Edition (.NET) ****** $1,298.00
FuseTalk Standard Edition (.NET) *** $4,298.00
FuseTalk Enterprise Edition (.NET) ** $6,898.00
 
IEC

IEC

Elite Member
Super Moderator
Jun 10, 2004
14,608
6,094
136
Originally posted by: Newbian
Originally posted by: Spartan Niner
Originally posted by: paulney
Originally posted by: Spartan Niner
I posted a PSA in the Programming forum reminding people to sanitize their inputs...
Click to expand...

The clock is ticking.
Click to expand...

I am aware, so I will comply 23 hours and 59 minutes from T-start.

Mods, please forgive me for loving my alma mater. ;)
Click to expand...

I do notice that the page is continual loading with some of these custom avatars. :(
Click to expand...

Fusetalk was trying to load a directory/image that didn't exist. Fixed.
 
Red Squirrel

Red Squirrel

No Lifer
May 24, 2003
71,329
14,089
126
www.anyf.ca
Originally posted by: Spartan Niner
Originally posted by: RedSquirrel
Actually I wonder what sparked this to begin with. That exploit has been there forever. What's funny is I had a feeling once but never bothered to try. I had seen someone with a blank avatar and found it was weird so I checked the source to see it was really lack of image then checked the code for the profile and saw image names. Funny stuff.

I hope fusetalk is at least free software... I would hate to be a sucker paying for something with such simple easy to avoid flaws.
Click to expand...

I'm afraid it's not...


FuseTalk Basic Edition (CF) ******* $1,298.00
FuseTalk Standard Edition (CF) **** $4,298.00
FuseTalk Enterprise Edition (CF) *** $6,898.00
FuseTalk Basic Edition (.NET) ****** $1,298.00
FuseTalk Standard Edition (.NET) *** $4,298.00
FuseTalk Enterprise Edition (.NET) ** $6,898.00
Click to expand...

WTF seriously? That's retarded, who actually pays thousands for software when there's free alternatives? Not to mention use .net for a web app, LAMP is where it's at.
 
T

txrandom

Diamond Member
Aug 15, 2004
3,773
0
71
Originally posted by: adlep
.net and cf
For The Fail (FTF)
Click to expand...

It doesn't have anything to do with .net or cf. It could have easily been an issue in PHP powered forums.
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom