Welcome to the LimeSurvey Community Forum

Ask the community, share ideas, and connect with other LimeSurvey users!

Tainted strings

  • ollehar
  • ollehar's Avatar Topic Author
  • Offline
  • LimeSurvey GmbH Employee
  • LimeSurvey GmbH Employee
More
5 years 2 months ago - 5 years 2 months ago #179548 by ollehar
Tainted strings was created by ollehar
There's an extension available for PHP that lets you trace tainted strings. A tainted string is a string that is unsafe, not escaped, can include XSS or SQL injection, and so on. Here's the link:

secure.php.net/manual/en/book.taint.php

I managed to install it using this:
Code:
apt install php7.1-dev
pecl install taint

Then you have to edit php.ini:
Code:
extension=taint.so
taint.enable = 1
taint.error_level = E_ERROR

As an example I tried to view a question in LimeSurvey and got the following error:



The problem was that $qid is never escaped or cast to integer, but shown as-is in the PHP view file. It's easily solved by putting
Code:
$qid = (int) $qid;

in the controller.

Just a tip. :)
Last edit: 5 years 2 months ago by ollehar.
The topic has been locked.
  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
5 years 2 months ago #179561 by DenisChenu
Replied by DenisChenu on topic Tainted strings
False positive ?

sid + gid + qid are always filtered and send 403 if it's not numeric without 0 starting.
github.com/LimeSurvey/LimeSurvey/blob/9b...mmon_Action.php#L148

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The topic has been locked.
  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • LimeSurvey Community Team
  • LimeSurvey Community Team
More
5 years 2 months ago #179564 by DenisChenu
Replied by DenisChenu on topic Tainted strings
False positive, no ?

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The topic has been locked.

Lime-years ahead

Online-surveys for every purse and purpose