 |
|
You are here: Foswiki>Devel Web>ActiveSf>ActiveSfDevel>ActiveSfAudit (02 Dec 2004, PseudoPunk)Edit Attach
SF-Active Security Audit
Intro.
The idea is that everyone who checks a class edits this page, and puts his name next to the classname if he has done an audit of that classExplanation
- Several XSS holes found
- difficult to exploit but big flaw in admin login
- areas with potential flaws:
- anywhere with user input
- Dossier class
- Article class
- admin login
- Anywhere user input is displayed
- newswires
- latest comments page
- SQL query injection
- anywhere with user input
- plan of attack:
- find areas that allow input
- closely examine the code
- put in general-purpose security measures
- block SQL injection in the DB class
- strip some dangerous fields on insertion into DB, before display
Class Overview
./article_class.inc ./backup_class.inc ./btemplate_class.inc ./cache_class.inc ./category_class.inc ./content_class.inc ./date_class.inc ./db_class.inc ./dossier_class.inc ./feature_class.inc ./gallery_class.inc ./image_class.inc ./language_class.inc ./localpage_class.inc ./newswire_class.inc ./page_class.inc ./producer_class.inc ./push2ia.inc ./rss10.inc ./spam_class.inc ./template_class.inc ./time.inc ./translate_class.inc ./user_class.inc./calendar
./calendar/ical.inc ./calendar/archive_calendar.inc ./calendar/calendar.inc ./calendar/date_renderer.inc ./calendar/db_based_object.inc ./calendar/default_object.inc ./calendar/event.inc ./calendar/event_display.inc ./calendar/event_renderer.inc ./calendar/event_topic.inc ./calendar/event_type.inc ./calendar/event_week.inc ./calendar/indycalendar.inc ./calendar/location.inc ./calendar/minical.inc./content
./content/newswire.inc ./content/test.inc./pages
./pages/admin_cities.inc ./pages/admin_email.inc ./pages/admin_index.inc ./pages/archive_by_id.inc ./pages/archive_display_by_date.inc ./pages/archive_display_calendar.inc ./pages/archive_display_list.inc ./pages/archive_generate.inc ./pages/archive_generate_weeks.inc ./pages/archive_index.inc ./pages/archive_week_redirect.inc ./pages/article_bulk_status_change.inc ./pages/article_display_list.inc ./pages/article_edit.inc ./pages/article_regenerate.inc ./pages/authenticate.inc ./pages/authenticate_display_logon.inc ./pages/calendar_admin_index.inc ./pages/calendar_delete.inc ./pages/calendar_display_location_add.inc ./pages/calendar_display_location_delete.inc ./pages/calendar_display_location_edit.inc ./pages/calendar_display_location_list.inc ./pages/calendar_display_location_update.inc ./pages/calendar_display_topic_add.inc ./pages/calendar_display_topic_delete.inc ./pages/calendar_display_topic_edit.inc ./pages/calendar_display_topic_list.inc ./pages/calendar_display_topic_update.inc ./pages/calendar_display_type_add.inc ./pages/calendar_display_type_delete.inc ./pages/calendar_display_type_edit.inc ./pages/calendar_display_type_list.inc ./pages/calendar_display_type_update.inc ./pages/calendar_edit.inc ./pages/calendar_event_display_lookup.inc ./pages/calendar_event_refresh_all.inc ./pages/calendar_update.inc ./pages/category_add.inc ./pages/category_display_edit.inc ./pages/category_display_list.inc ./pages/category_display_preview.inc ./pages/category_display_pushtoproduction_confirmation.inc ./pages/category_preview.inc ./pages/category_pushtoproduction.inc ./pages/category_reorder.inc ./pages/category_update.inc ./pages/comment.inc ./pages/comment_latest.inc ./pages/config.inc ./pages/content_page.inc ./pages/css_viewer.inc ./pages/display_by_id.inc ./pages/dossier_admin_index.inc ./pages/dossier_admin_statuschange.inc ./pages/dossier_article.inc ./pages/dossier_dossier.inc ./pages/dossier_feature.inc ./pages/dossier_feature_add.inc ./pages/dossier_feature_update.inc ./pages/dossier_list.inc ./pages/dossier_refresh.inc ./pages/dump_by_id.inc ./pages/event_display_add.inc ./pages/event_display_add_confirm.inc ./pages/event_display_delete.inc ./pages/event_display_detail.inc ./pages/event_display_edit.inc ./pages/event_display_event.inc ./pages/event_display_list.inc ./pages/event_display_monthview.inc ./pages/event_display_week.inc ./pages/event_search.inc ./pages/feature_add.inc ./pages/feature_change_status.inc ./pages/feature_copy.inc ./pages/feature_copy_redirect.inc ./pages/feature_delete.inc ./pages/feature_display_copy.inc ./pages/feature_display_edit.inc ./pages/feature_display_history.inc ./pages/feature_display_list.inc ./pages/feature_list.inc ./pages/feature_reorder.inc ./pages/feature_undelete.inc ./pages/feature_update.inc ./pages/file_viewer.inc ./pages/gallery.inc (checked. bart) ./pages/hidden.inc (checked. bart) ./pages/image_browser.inc ./pages/include_viewer.inc ./pages/language_add.inc ./pages/language_display_edit.inc ./pages/language_display_list.inc ./pages/language_hide.inc ./pages/language_reorder.inc ./pages/language_update.inc ./pages/log_viewer.inc ./pages/logedit_index.inc ./pages/mailable.inc ./pages/mailinglist.inc ./pages/network.inc ./pages/newswire.inc ./pages/page_viewer.inc ./pages/printable.inc ./pages/publish.inc ./pages/refresh.inc ./pages/spam.inc (checked. bart) ./pages/syndication_index.inc ./pages/template_viewer.inc ./pages/translate_form.inc ./pages/upload_display_add.inc (checked. bart) ./pages/user_add.inc (checked. bart) ./pages/user_delete.inc (checked. bart) ./pages/user_display_edit.inc (checked. bart) ./pages/user_display_list.inc (checked. bart) ./pages/user_update.inc (checked. bart) ./pages/xml.inc ./pages/event_display_ical.inc ./pages/feature_photo_activate.inc ./pages/feature_photo_add.inc ./pages/feature_photo_change_status.inc ./pages/feature_photo_list.inc ./pages/feature_photo_reorder.inc ./pages/feature_photo_update.inc./webcast
./webcast/webcast_class.inc ./webcast/webcast_comment_class.inc ./webcast/webcast_comment_text_class.inc ./webcast/webcast_display_class.inc ./webcast/webcast_media_class.inc ./webcast/webcast_text_class.inc -- PseudoPunk - 21 Nov 2004Edit | Attach | Print version | History: r4 < r3 < r2 < r1 | Backlinks | View wiki text | Edit wiki text | More topic actions
Topic revision: r4 - 02 Dec 2004, PseudoPunk
- Devel Web
- Home
- What's new
- Topics
- Search
-
RSS Feed
- Tech working groups
- IMC Tech
- Sysadmin
- DNS
- Listwork
- IMC Docs
- IRCd
- IMC Security
- Global Website
- IMC Database
- Keyserver
- SoS
- All sections
- Global network
- Local IMCs
- Tech
- Sandbox
Copyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding Foswiki? Send feedback