Skip to topic | Skip to bottom
Home
Search:

Devel

Devel.ActiveSfAuditr1.4 - 02 Dec 2004 - 09:58 - PseudoPunktopic end
You are here: Devel > ActiveSf > ActiveSfDevel > ActiveSfAudit
Start of topic | Skip to actions

SF-Active Security Audit

Intro.

The idea is that everyone who checks a class edits this page, and puts his name next to the classname if he has done an audit of that class

Explanation

  • Several XSS holes found
  • difficult to exploit but big flaw in admin login
  • areas with potential flaws:
    • anywhere with user input
      • Dossier class
      • Article class
      • admin login
    • Anywhere user input is displayed
      • newswires
      • latest comments page
    • SQL query injection
  • plan of attack:
    • find areas that allow input
    • closely examine the code
    • put in general-purpose security measures
      • block SQL injection in the DB class
      • strip some dangerous fields on insertion into DB, before display

Class Overview

./article_class.inc

./backup_class.inc

./btemplate_class.inc

./cache_class.inc

./category_class.inc

./content_class.inc

./date_class.inc

./db_class.inc

./dossier_class.inc

./feature_class.inc

./gallery_class.inc

./image_class.inc

./language_class.inc

./localpage_class.inc

./newswire_class.inc

./page_class.inc

./producer_class.inc

./push2ia.inc

./rss10.inc

./spam_class.inc

./template_class.inc

./time.inc

./translate_class.inc

./user_class.inc

./calendar

./calendar/ical.inc

./calendar/archive_calendar.inc

./calendar/calendar.inc

./calendar/date_renderer.inc

./calendar/db_based_object.inc

./calendar/default_object.inc

./calendar/event.inc

./calendar/event_display.inc

./calendar/event_renderer.inc

./calendar/event_topic.inc

./calendar/event_type.inc

./calendar/event_week.inc

./calendar/indycalendar.inc

./calendar/location.inc

./calendar/minical.inc

./content

./content/newswire.inc

./content/test.inc

./pages

./pages/admin_cities.inc

./pages/admin_email.inc

./pages/admin_index.inc

./pages/archive_by_id.inc

./pages/archive_display_by_date.inc

./pages/archive_display_calendar.inc

./pages/archive_display_list.inc

./pages/archive_generate.inc

./pages/archive_generate_weeks.inc

./pages/archive_index.inc

./pages/archive_week_redirect.inc

./pages/article_bulk_status_change.inc

./pages/article_display_list.inc

./pages/article_edit.inc

./pages/article_regenerate.inc

./pages/authenticate.inc

./pages/authenticate_display_logon.inc

./pages/calendar_admin_index.inc

./pages/calendar_delete.inc

./pages/calendar_display_location_add.inc

./pages/calendar_display_location_delete.inc

./pages/calendar_display_location_edit.inc

./pages/calendar_display_location_list.inc

./pages/calendar_display_location_update.inc

./pages/calendar_display_topic_add.inc

./pages/calendar_display_topic_delete.inc

./pages/calendar_display_topic_edit.inc

./pages/calendar_display_topic_list.inc

./pages/calendar_display_topic_update.inc

./pages/calendar_display_type_add.inc

./pages/calendar_display_type_delete.inc

./pages/calendar_display_type_edit.inc

./pages/calendar_display_type_list.inc

./pages/calendar_display_type_update.inc

./pages/calendar_edit.inc

./pages/calendar_event_display_lookup.inc

./pages/calendar_event_refresh_all.inc

./pages/calendar_update.inc

./pages/category_add.inc

./pages/category_display_edit.inc

./pages/category_display_list.inc

./pages/category_display_preview.inc

./pages/category_display_pushtoproduction_confirmation.inc

./pages/category_preview.inc

./pages/category_pushtoproduction.inc

./pages/category_reorder.inc

./pages/category_update.inc

./pages/comment.inc

./pages/comment_latest.inc

./pages/config.inc

./pages/content_page.inc

./pages/css_viewer.inc

./pages/display_by_id.inc

./pages/dossier_admin_index.inc

./pages/dossier_admin_statuschange.inc

./pages/dossier_article.inc

./pages/dossier_dossier.inc

./pages/dossier_feature.inc

./pages/dossier_feature_add.inc

./pages/dossier_feature_update.inc

./pages/dossier_list.inc

./pages/dossier_refresh.inc

./pages/dump_by_id.inc

./pages/event_display_add.inc

./pages/event_display_add_confirm.inc

./pages/event_display_delete.inc

./pages/event_display_detail.inc

./pages/event_display_edit.inc

./pages/event_display_event.inc

./pages/event_display_list.inc

./pages/event_display_monthview.inc

./pages/event_display_week.inc

./pages/event_search.inc

./pages/feature_add.inc

./pages/feature_change_status.inc

./pages/feature_copy.inc

./pages/feature_copy_redirect.inc

./pages/feature_delete.inc

./pages/feature_display_copy.inc

./pages/feature_display_edit.inc

./pages/feature_display_history.inc

./pages/feature_display_list.inc

./pages/feature_list.inc

./pages/feature_reorder.inc

./pages/feature_undelete.inc

./pages/feature_update.inc

./pages/file_viewer.inc

./pages/gallery.inc (checked. bart)

./pages/hidden.inc (checked. bart)

./pages/image_browser.inc

./pages/include_viewer.inc

./pages/language_add.inc

./pages/language_display_edit.inc

./pages/language_display_list.inc

./pages/language_hide.inc

./pages/language_reorder.inc

./pages/language_update.inc

./pages/log_viewer.inc

./pages/logedit_index.inc

./pages/mailable.inc

./pages/mailinglist.inc

./pages/network.inc

./pages/newswire.inc

./pages/page_viewer.inc

./pages/printable.inc

./pages/publish.inc

./pages/refresh.inc

./pages/spam.inc (checked. bart)

./pages/syndication_index.inc

./pages/template_viewer.inc

./pages/translate_form.inc

./pages/upload_display_add.inc (checked. bart)

./pages/user_add.inc (checked. bart)

./pages/user_delete.inc (checked. bart)

./pages/user_display_edit.inc (checked. bart)

./pages/user_display_list.inc (checked. bart)

./pages/user_update.inc (checked. bart)

./pages/xml.inc

./pages/event_display_ical.inc

./pages/feature_photo_activate.inc

./pages/feature_photo_add.inc

./pages/feature_photo_change_status.inc

./pages/feature_photo_list.inc

./pages/feature_photo_reorder.inc

./pages/feature_photo_update.inc

./webcast

./webcast/webcast_class.inc

./webcast/webcast_comment_class.inc

./webcast/webcast_comment_text_class.inc

./webcast/webcast_display_class.inc

./webcast/webcast_media_class.inc

./webcast/webcast_text_class.inc

-- PseudoPunk - 21 Nov 2004
to top

End of topic
Skip to action links | Back to top

Edit | Attach image or document | Printable version | Raw text | More topic actions
Revisions: | r1.4 | > | r1.3 | > | r1.2 | Total page history | Backlinks
Devel.ActiveSfAudit moved from Devel.SecurityAudit on 21 Nov 2004 - 14:38 by PseudoPunk - put it back
You are here: Devel > ActiveSf > ActiveSfDevel > ActiveSfAudit

to top

Copyright © 1999-2008 by the contributing authors.
All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding this tool? Send feedback (in English, Francais, Deutsch or Dutch).