- Posts: 522
- Thank you received: 108
Welcome to the LimeSurvey Community Forum
Ask the community, share ideas, and connect with other LimeSurvey users!
Tainted strings
- ollehar
- Topic Author
- Offline
- LimeSurvey GmbH Employee
Less
More
5 years 3 months ago - 5 years 3 months ago #179548
by ollehar
Tainted strings was created by ollehar
There's an extension available for PHP that lets you trace tainted strings. A tainted string is a string that is unsafe, not escaped, can include XSS or SQL injection, and so on. Here's the link:
secure.php.net/manual/en/book.taint.php
I managed to install it using this:
Then you have to edit php.ini:
As an example I tried to view a question in LimeSurvey and got the following error:
The problem was that $qid is never escaped or cast to integer, but shown as-is in the PHP view file. It's easily solved by putting
in the controller.
Just a tip.
secure.php.net/manual/en/book.taint.php
I managed to install it using this:
Code:
apt install php7.1-dev pecl install taint
Then you have to edit php.ini:
Code:
extension=taint.so taint.enable = 1 taint.error_level = E_ERROR
As an example I tried to view a question in LimeSurvey and got the following error:
The problem was that $qid is never escaped or cast to integer, but shown as-is in the PHP view file. It's easily solved by putting
Code:
$qid = (int) $qid;
in the controller.
Just a tip.
Attachments:
Last edit: 5 years 3 months ago by ollehar.
The topic has been locked.
- DenisChenu
- Offline
- LimeSurvey Community Team
Less
More
- Posts: 13643
- Thank you received: 2491
5 years 3 months ago #179561
by DenisChenu
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
Replied by DenisChenu on topic Tainted strings
False positive ?
sid + gid + qid are always filtered and send 403 if it's not numeric without 0 starting.
github.com/LimeSurvey/LimeSurvey/blob/9b...mmon_Action.php#L148
sid + gid + qid are always filtered and send 403 if it's not numeric without 0 starting.
github.com/LimeSurvey/LimeSurvey/blob/9b...mmon_Action.php#L148
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The topic has been locked.
- DenisChenu
- Offline
- LimeSurvey Community Team
Less
More
- Posts: 13643
- Thank you received: 2491
5 years 3 months ago #179564
by DenisChenu
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
Replied by DenisChenu on topic Tainted strings
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
Attachments:
The topic has been locked.