Le 18/10/2013 17:02, Doursenaud,
Raphaël a écrit :
2013/10/17 Laurent Léonard <address@hidden>
As specified at the end of the article you pointed, those vulnerabilities are
fixed in Dolibarr 3.4.1:
It also says "However, their sanitization methods were not fixed, and no mention was made on a future patch. Other SQLi vectors are likely." in the introduction.
This is a wrong affirmation. There is two level of sanitazing.
- first one is when receiving parameters. For this one, it is correct that sanitazing is not complete. But we don't want this first level to be complete and it is not possible (for example if user what to submit an example of sql script into a comment or a mailing list, he should be able).
So it is true this level of protection is not complete, but it is not goal of this first level, protection is guaranted by second level, and report let think we tried to make things secured with first level. No, security is guaranted by the second level and only second level (because it is possible to do so compmletely only with second level).
- second level is when forging sql request, html output or command line strings. It is the level that make things completely secured. For this case, there are functions that exists to make complete sanitazing:
* for html output, function is dol_escape_htmltag
* for _javascript_ output, function is dol_escape_js
* for sql forging, function is db->escape
* from script, function is escape_shell
May be at specific place of code, calling those functions were forgotten, but saying sanitizing function are not fixed is wrong since this function are not bugged (the report just was speaking about first level). There is no need to use parametrized queries. This will not change anything, we will still need to use escape function according to the way data is used (html, _javascript_, sql or command line string). So we must just be sure that we are using the sanitizing function when we should.
We should think about converting the source code to use parametrized queries. Maybe in a 4.0 branch ?What's your opinion ?--
Raphaël Doursenaud05 35 53 97 13 - 06 68 48 20 10
Technopole Hélioparc2 avenue du Président Pierre Angot64053 PAU CEDEX 9SARL GPC.solutions au capital de 7 500 € - R.C.S. PAU 528 995 921
_______________________________________________ Dolibarr-dev mailing list address@hidden https://lists.nongnu.org/mailman/listinfo/dolibarr-dev
-- Eldy (Laurent Destailleur). EMail: address@hidden Web: http://www.destailleur.fr Dolibarr (Project leader): http://www.dolibarr.org To make a donation for Dolibarr project via Paypal: address@hidden AWStats (Author) : http://awstats.sourceforge.net To make a donation for AWStats project via Paypal: address@hidden AWBot (Author) : http://awbot.sourceforge.net CVSChangeLogBuilder (Author) : http://cvschangelogb.sourceforge.net