Dear friends, forgive me if I am ignorant or less informed to some of the issues.
I sincerely understand that it is quite risky to use third party plugins and tools , especially after couple of mybb plugin developers are proved to be notorious.
But it sometimes makes it almost unavoidable to use some plugins like facebook connect.
Now my question is , "is there any specific guidelines to be followed before installing any plugin offered by third party?"
learn basic php and review the plugin source code. if you dont understand what something is doing, look it up or ask.
anything that uses curl, base64_*, allow_*_open, file related open, read, write functions should be looked at to see what they are doing.
also, for sql injection, anytime you see $mybb->input being assigned to a variable, check if is wrapped in $db->escape_string() or int() or has (intval) listed in front of it.
also, if you are seeing anything related to _GET or _PUT or _SERVER then double check what it is doing.
(2011-10-31, 04:27 PM)rupam das Wrote: [ -> ]...
Now my question is , "is there any specific guidelines to be followed before installing any plugin offered by third party?"
specific guidelines* == Start w/ Paveman's,
mybb-plugins, core developer's plugins, Frostshultz, and
these awesome plugins, and check if you actually need any others.
*I'm certainly leaving out some good dev's, sorry.
(2011-10-31, 05:20 PM)pavemen Wrote: [ -> ]learn basic php and review the plugin source code. if you dont understand what something is doing, look it up or ask.
anything that uses curl, base64_*, allow_*_open, file related open, read, write functions should be looked at to see what they are doing.
also, for sql injection, anytime you see $mybb->input being assigned to a variable, check if is wrapped in $db->escape_string() or int() or has (intval) listed in front of it.
also, if you are seeing anything related to _GET or _PUT or _SERVER then double check what it is doing.
Thanks a lot. PHP and MySql is not a problem for me. Ok Sir. Before any plugin update, will sure verify the code before installing. Great great short tips though.
Security is an interesting thing in that there are many possible attack vectors to various things.
Oh, and here's an example of some vulnerable code:
if($mybb->input['posthash'] != "")
{
$query = $db->simple_select("myshowcase_attachments", "*", "posthash = '".$mybb->input['posthash']."'");
$current_attach_count = $db->num_rows($query);
unset($query);
}
See if you can pick out what's the issue.
(2011-11-02, 06:37 AM)Yumi Wrote: [ -> ]Security is an interesting thing in that there are many possible attack vectors to various things.
Oh, and here's an example of some vulnerable code:
if($mybb->input['posthash'] != "")
{
$query = $db->simple_select("myshowcase_attachments", "*", "posthash = '".$mybb->input['posthash']."'");
$current_attach_count = $db->num_rows($query);
unset($query);
}
See if you can pick out what's the issue.
I don't think its an issue since its not inserting anything into the db.
Edit: I just downloaded MyShowcase now and Yes it needs to be escaped.
(2011-11-02, 07:16 AM)Yaldaram Wrote: [ -> ] (2011-11-02, 06:37 AM)Yumi Wrote: [ -> ]Security is an interesting thing in that there are many possible attack vectors to various things.
Oh, and here's an example of some vulnerable code:
if($mybb->input['posthash'] != "")
{
$query = $db->simple_select("myshowcase_attachments", "*", "posthash = '".$mybb->input['posthash']."'");
$current_attach_count = $db->num_rows($query);
unset($query);
}
See if you can pick out what's the issue.
I don't think its an issue since its not inserting anything into the db.
Actually it is a
dangerous SQL injection,
Imagine if I'm the vistor and I enter in the
posthash field something like:
0' OR 1=1; DELETE * FROM 'mybb_posts
The query now is:
$query = $db->simple_select("myshowcase_attachments", "*", "posthash = '0' OR 1=1; DELETE * FROM 'mybb_posts'");
OR MORE CLEARLY, The query now is:
SELECT * FROM myshowcase_attachments WHERE posthash = '0' OR 1=1; DELETE * FROM 'mybb_posts'
I deleted ALL the posts in your forum!!
and that's just because I'm a nice visitor, I can drop the whole database with all the data in it by doing :
0' OR 1=1; DROP DATABASE DATABASE(); '
as DATABASE() returns the name of the current database!!!!
I just downloaded MyShowcase now and Yes it needs to be escaped.
thanks for the not so subtle report of a vulnerability, but its already been corrected in my current code that I am almost done with.
Also checks for post code and input method as POST are the full monty imho for MyBB security.
if($mybb->input['posthash'] && $mybb->input_method="post")
verify_post_check($mybb->input['my_post_key']);
Then sanitize.
$posthash = $db->escape_string($mybb->input['posthash']);
Then query..
$query = $db->simple_select("myshowcase_attachments", "*", "posthash = '{$posthash}'");
if($mybb->input['posthash'] && $mybb->input_method="post")
{
verify_post_check($mybb->input['my_post_key']);
$posthash = $db->escape_string($mybb->input['posthash']);
$query = $db->simple_select("myshowcase_attachments", "*", "posthash = '{$posthash}'");
$current_attach_count = $db->num_rows($query);
unset($query);
}