Home
>
Sphider Support
>
Topic
Version 1.3.4: XSS vulnerability fix
Posted by Ando
|
Version 1.3.4: XSS vulnerability fix April 29, 2008 05:30PM |
Admin Registered: 3 years ago Posts: 368 |
|
Re: Version 1.3.4: XSS vulnerability fix April 29, 2008 08:08PM |
Registered: 3 years ago Posts: 259 |
|
Re: Version 1.3.4: XSS vulnerability fix April 29, 2008 08:57PM |
Registered: 3 years ago Posts: 674 |
|
Re: Version 1.3.4: XSS vulnerability fix April 29, 2008 11:41PM |
Registered: 3 years ago Posts: 259 |
|
Re: Version 1.3.4: XSS vulnerability fix April 30, 2008 11:44AM |
Admin Registered: 3 years ago Posts: 368 |
Tec Wrote:
-------------------------------------------------------
> He only modified .../include/searchfuncs.php with
> a small modification. And that should prevent XSS
> attacks???
Yes, the original code was using an unsanitized string which was printed to output. The change is about using the sanitized string instead. So the change indeed does prevent XSS attacks.
-------------------------------------------------------
> He only modified .../include/searchfuncs.php with
> a small modification. And that should prevent XSS
> attacks???
Yes, the original code was using an unsanitized string which was printed to output. The change is about using the sanitized string instead. So the change indeed does prevent XSS attacks.
|
Re: Version 1.3.4: XSS vulnerability fix April 30, 2008 06:38PM |
Registered: 3 years ago Posts: 674 |
XSS attacks are not a problem for 'printing to output' as you wrote. I'm sure you know quite well that XSS attacks are dangerous to destroy the database. That is why I build the secure mod that really prevents dangerous query input. I think I don't need to remember you that all query input are stored in querylog. And also in the newest version of Sphider you still use:
saveToLog(addslashes($query), $time, $rows);
That is why I first "cleaned" all input before processed.
Tec
saveToLog(addslashes($query), $time, $rows);
That is why I first "cleaned" all input before processed.
Tec
|
Re: Version 1.3.4: XSS vulnerability fix May 01, 2008 09:16AM |
Admin Registered: 3 years ago Posts: 368 |
|
Re: Version 1.3.4: XSS vulnerability fix May 01, 2008 02:25PM |
Registered: 3 years ago Posts: 674 |
Well, on a first impression you may limit XSS attacks to print outs. But this is only a disfigurement on the monitor. Perhaps the XSS (Cross Site Scripting) Cheat Sheet
[ha.ckers.org]
might give an impression about XSS complexity.
Never the less we should not run into a competition on how much security is necessary or required. The users may decide individually how much they intend to investigate.
Tec
[ha.ckers.org]
might give an impression about XSS complexity.
Never the less we should not run into a competition on how much security is necessary or required. The users may decide individually how much they intend to investigate.
Tec
|
Re: Version 1.3.4: XSS vulnerability fix May 01, 2008 02:46PM |
Registered: 2 years ago Posts: 8 |
|
Re: Version 1.3.4: XSS vulnerability fix May 08, 2008 09:38AM |
Registered: 2 years ago Posts: 19 |
|
Re: Version 1.3.4: XSS vulnerability fix May 08, 2008 04:51PM |
Registered: 3 years ago Posts: 674 |
Hello Stefano,
No, as stated in readme.pdf, Sphider-plus and original Sphider scripts are not interchangeable.
If you want to integrate Ando's v.1.3.4 news into Sphider-plus, open .../include/searchfuncs.php and search for:
$did_you_mean_b=$query;
$did_you_mean=$query;
Delete that two rows and replace them with the following:
$did_you_mean_b=$entitiesQuery;
$did_you_mean=$entitiesQuery;
In the same file search for:
$full_result['query'] = $query;
Delete that row and replace it with the following:
$full_result['query'] = $entitiesQuery;
That's all.
Tec
No, as stated in readme.pdf, Sphider-plus and original Sphider scripts are not interchangeable.
If you want to integrate Ando's v.1.3.4 news into Sphider-plus, open .../include/searchfuncs.php and search for:
$did_you_mean_b=$query;
$did_you_mean=$query;
Delete that two rows and replace them with the following:
$did_you_mean_b=$entitiesQuery;
$did_you_mean=$entitiesQuery;
In the same file search for:
$full_result['query'] = $query;
Delete that row and replace it with the following:
$full_result['query'] = $entitiesQuery;
That's all.
Tec
Sorry, only registered users may post in this forum.