Tainted strings

More
1 month 3 weeks ago - 1 month 3 weeks ago #179548 by ollehar
Tainted strings was created by ollehar
There's an extension available for PHP that lets you trace tainted strings. A tainted string is a string that is unsafe, not escaped, can include XSS or SQL injection, and so on. Here's the link:

secure.php.net/manual/en/book.taint.php

I managed to install it using this:
apt install php7.1-dev
pecl install taint

Then you have to edit php.ini:
extension=taint.so
taint.enable = 1
taint.error_level = E_ERROR

As an example I tried to view a question in LimeSurvey and got the following error:



The problem was that $qid is never escaped or cast to integer, but shown as-is in the PHP view file. It's easily solved by putting
$qid = (int) $qid;

in the controller.

Just a tip. :)
Attachments:
Last edit: 1 month 3 weeks ago by ollehar.

Please Log in or Create an account to join the conversation.

LimeSurvey Partners
More
1 month 3 weeks ago #179561 by DenisChenu
Replied by DenisChenu on topic Tainted strings
False positive ?

sid + gid + qid are always filtered and send 403 if it's not numeric without 0 starting.
github.com/LimeSurvey/LimeSurvey/blob/9b...mmon_Action.php#L148

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand (or search sondages pro).
An error happen ? Before make a new topic : remind the Debug mode .

Please Log in or Create an account to join the conversation.

More
1 month 3 weeks ago #179564 by DenisChenu
Replied by DenisChenu on topic Tainted strings
False positive, no ?

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand (or search sondages pro).
An error happen ? Before make a new topic : remind the Debug mode .
Attachments:

Please Log in or Create an account to join the conversation.

Start now!

Just create your account and start using Limesurvey today.

Register now
Join our Newsletter!