Tarential

Done, and thank you all members of PHPFreaks who lent a hand

Thanks for the heads up. I've checked on the CVEs and the good folks at Debian have backported those fixes as well. I have always been a Debian fan, and this helps to show why

I believe it is a false positive based on version number. Since Debian backports security fixes, even though Apache is version 2.2.16 it has the latest security updates.

http://security-tracker.debian.org/tracker/CVE-2011-3192 Confirmed fixed in squeeze 2.2.16 ^^ Thanks very much.

Hi again! Thanks for the updates. I've just spent half an hour in the #debian IRC channel discussing Apache versions and security. They inform me that security problems are often patched backwards in versions and that even though I'm running 2.2.16 it is very likely that the actual vulnerabilities are not present. However, just in case, they asked me if your scanner provides a CVE number which I can then check to see if it has been patched. I also updated my virtualhost configurations to not permit low security cipher suites. I believe I've been able to test this myself (I get rejected when I use openssl s_client with low or medium strength ciphers or sslv2), but if you happen to check again to confirm that would also be nice I'm always happy to be more secure. You've been a big help.

You never had to do anything. I made and make no demands, I simply made the request that since you did scan, and you seemed to be attempting to help, you provide me with the information that your scanner provided you. If this request seems unreasonable to you, it is fully your right to ignore it. That said, the site is still up, but I think I know why you can't see it. I had a bug that was causing an endless loop in my 404 pages one night (hence why I don't normally push my code to the demo server til after it is tested, but I was in a hurry for other reasons), and before I realized what was causing the problems with my Linode I had quickly scanned the logs and used iptables to block an IP which seemed to be making weird requests. In retrospect, I see that was probably your scanner. I've unblocked the IP address now and I apologize for the confusion. I want to say this again: I am not trying to make demands of you, I am simply trying to be clear about which information would help me most. I'm grateful that you are spending your free time to help me. I don't feel that you are obliged towards me in any way and even if you choose to stop now I appreciate all the help you gave me already. If, on the other hand, you should feel so inclined as to continue helping, I believe you will be able to access the site again now. I would very much appreciate more details as to precisely what type of request results in exploitable code being inserted. Thanks.

Thank you, but that doesn't help me. I know how these vulnerabilities happen. You posted that your scanner picked something up. I'd like to know what your scanner found. If it is a false positive, or if you don't know how to get more details from the software, just say so please. I've done manual checks already and I didn't find anything wrong. As a matter of standard practice I filter all my input, so either this is something I missed or it is a false positive. More information would help me a lot in determining which of the two it is. Thanks.

Ok, perhaps I didn't say it right the first time. I know what htmlentities does, I know what strip_tags does, and I know what my algorithm is doing. I am aware that using strip_tags is an unnecessary addition to the filtration process, assuming one wishes to allow HTML tags, which I do not. I am also aware that htmlentities encodes all special characters whether they be dangerous or not. However, none of these things is a vulnerability. I've been told by darkfreaks that there is a vulnerability in some sort of unfiltered GET data, but he will not give me an example of a request which results in actually inserting Javascript code. This example is all I require so that I may fix the problem. Thank you.

I assume this is the output from the scanner you used? I don't use any GET vars called index_php or similar variations, so I'm not sure what it is indicating. Can you give me an example of a request which results in Javascript code being inserted?

I am using htmlentities because I understand it to actually convert more characters than htmlspecialchars. I take my understanding from this post on Stack Overflow: http://stackoverflow.com/questions/46483/htmlentities-vs-htmlspecialchars They advise that htmlspecialchars is enough in most situations, but that htmlentities converts a superset of characters. It seems to match the PHP documentation. Is there a reason you suggest that htmlentities is not secure? I use strip_tags for aesthetic reasons, not security ones. This way people won't end up with tags in their messages by accident (if they don't realize, for example, that full html is not allowed then it is stripped automatically). After being stripped, htmlentities then handles the sanitization. Following up, I've convinced myself to be un-lazy and uploaded the latest code to the demo page. The brute force protection should be in place and working now (but it is untested), and an interesting new feature some people might like to try (just to see it in action) is the improved file manager. Bulk file manipulation is a breeze now! Thanks for the updates. Edit: By the way, did the script you use for testing ever successfully inject javascript code anywhere, or was it just flagged as vulnerable? If so, can I see the code that exploited it?

I am sanitizing the input with the following code. Is it still vulnerable, or was there a false positive? If it is vulnerable, could you point out to me which characters I still must filter? Thanks. $safe = mysql_real_escape_string($input); $allowed_tags = array('p','b','i','u','em','strong'); foreach ($allowed_tags as $tag) { $safe = str_ireplace('<'.$tag.'>','['.$tag.']',$safe); $safe = str_ireplace('</'.$tag.'>','[/'.$tag.']',$safe); } $safe = htmlentities(strip_tags($safe), ENT_COMPAT | ENT_HTML401, 'UTF-8'); foreach ($allowed_tags as $tag) { $safe = str_ireplace('['.$tag.']','<'.$tag.'>',$safe); $safe = str_ireplace('[/'.$tag.']','</'.$tag.'>',$safe); } return $safe; P.S. If you're wondering, the reason for the replacement loops is to allow simple bbcode style tags (and their html equivalents, which are first converted *to* bbcode, then back after the sanitization).

This project will not be commercialized in that sense. It is already being commercialized in the sense that I use it for client websites. To that end, the GPL does not interfere with me in any way. You present two examples, but neither applies to me. Again, I do not defend the GPL as a whole. I defend it for this specific implementation of this specific type of software as it suits my purpose. You are completely correct, but again this does not apply to my own circumstances. I'm interested in this. I don't understand. In real world conditions, there would be no switching as I would force SSL in htaccess with mod_rewrite. Am I still vulnerable? If so, how? I do not intend to ignore any reasonable venue of attack.

I am not interested in copyright protection. Though I would be happy if anyone using my code in an open source project gave me credit, I don't intend to try to enforce it legally. My main concern is stopping people from using my code in a proprietary program. Still, as long as they don't distribute the program, I can't stop them from running a completely proprietary service on top of my code (at least that is my understanding of it, though I am not a lawyer). I am surprised at such a negative reaction toward the GPL, but it was not my intention to start a dispute over licensing. I'm not trying to say it is "better" than any other license. I have chosen it, however, because it seems to provide the very qualities that I require for this particular piece of software. If, at any time, someone wishes to use my code in a non-GPL compatible (but OSI approved) project they can always contact me. Under legitimate circumstances I will grant these requests. I appreciate all the help I've been given here so I don't want to appear ungrateful by arguing. I am simply trying to show that I did think about my decision before choosing a license (and I considered other options, such as the BSD licenses and the MIT license). It's likely that no-one saw this, and I've since let the site go down since then, but back in university I created a site called "Anti-FUD" on which I was going to publish controversial articles to drive traffic -- starting with a "GPL vs BSD" license. I did write that article, and it got slashdotted and sent to numerous other places. The reason it was so controversial is that both camps thought I ruled in the other side's favor, when all I actually did was outline the reasons that each was better for specific conditions. I'm not claiming expertise in licensing or law, but suffice to say that I did my research before that article and I did further research before selecting a license now. I welcome any corrections if I've misunderstood one or more of the licenses. Did you try using the SSL enabled link I sent? Also, I have still not updated the code on the demo page, but I have fixed the brute force problem. I intend to finish this release before I update the demo, so it could be a few days. Thanks for being so prompt about the scanning, however

Yes I realized after I posted that I actually had that discussion in a private message (I was trying to avoid derailing this topic). My bad. Edited and fixed.

To clarify my choice of GPL: I don't want my code to end up in a proprietary project (unless I'm being paid to work on the project). If there is another reason to dislike GPL besides the "viral" nature, I am open to listening and am not adverse to switching the license. As I wrote all the code the option is still open to me to license it as I will. Have a compelling reason I should switch? Tell me and I'll consider it.