search

Hospedaje-Trotamundos / buddypress-media

Automatically exported from code.google.com/p/buddypress-media
0 stars 0 forks source link

Audit filters on user input prior to release #12

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
[Describe this work unit]

Before publishing the 0.1.9 release, audit the filters used on all user input 
fields to ensure the correct filters are being used to strip SQL and other bad 
things, prior to adding information to the database. Also ensure the correct 
filters are being run when data is returned from the database.

Fill the form fields with test data and examine the DB entries to make sure the 
filters are working properly. 

I'm adding this task as a safety measure to guarantee it happens before 
release. 

This task only applies to 0.1.9 because we have made changes to the data fields.

[What components of the plugin will be affected by this change]
Media Item, Albums, Member Tags, Keyword Tags

[Does this work unit block any other work units?]
No. It blocks final release.

[Estimated hours of developer time this work unit will require]
Less than 1 hour. This item should be reviewed by BOTH lead developers, and 
ideally a mentor as well.

[Estimated completion date]
TBD

Original issue reported on code.google.com by CarlRoett@gmail.com on 16 Jul 2010 at 10:18

GoogleCodeExporter commented 9 years ago 
Update:

...Also ensure that the plugin deletes ANY file that does not have the right 
type of extension, *before* writing it to the uploads directory, because it 
*might* create a venerability for inexperienced users.

Details:

1) User has uploads directory permissions set "wide open", granting "execute" 
rights to the web server for all uploaded files.

2) Hacker uploads "rootkit.php"

3) BP Media saves file to the uploads directory.

4) In the 1/10 of a second window while the plugin is analyzing the file before 
it gets rejected and deleted, the hacker executes the file by calling 
http://example.com/...uploads dir.../rootkit.php

5) Hacker gains root access to the WP install

Solutions:

-Grab the filename posted to the server by the upload form, and if it's not a 
supported extension never even convert the TMP file to a real file, just unlink 
it.

-Never use the user-supplied filename in the first place. Grab the extension, 
and save it as [random].[extension]

Original comment by CarlRoett@gmail.com on 4 Aug 2010 at 5:32