Security Advisory pnFlashGames :: pnCommunity

Start

latest posts

RSS

Print topic

Start :: Community :: General Chat :: Security Advisory pnFlashGames

Moderated by: Support Team

Security Advisory pnFlashGames

Posted: 01.05.2007, 05:29

rank:: pnProfessional
registered:: September 2003
Status:: offline
last visit:: 21.10.07
Posts:: 2423

http://secunia.com/advisories/25043/
Quick fix: open pnuser.php find:

Code

function pnFlashGames_user_view()
{
    // Get parameters from whatever input we need.  All arguments to this
    // function should be obtained from pnVarCleanFromInput(), getting them
    // from other places such as the environment is not allowed, as that makes
    // assumptions that will not hold in future versions of PostNuke
    $startnum = pnVarCleanFromInput('startnum');
    $contid = pnVarCleanFromInput('contid');
    $cid = pnVarCleanFromInput('cid');

Cast input:

Code

function pnFlashGames_user_view()
{
    // Get parameters from whatever input we need.  All arguments to this
    // function should be obtained from pnVarCleanFromInput(), getting them
    // from other places such as the environment is not allowed, as that makes
    // assumptions that will not hold in future versions of PostNuke
    $startnum = (int)pnVarCleanFromInput('startnum');
    $contid = (int)pnVarCleanFromInput('contid');
    $cid = (int)pnVarCleanFromInput('cid');

-----
http://www.invalidresponse.com

notify mod

Posted: 01.05.2007, 19:06

rank:

pnProfessional

registered:

September 2004

Status:

offline

last visit:

09.05.08

Posts:

720

Can someone explain how this is a security issue?

Does the pnVarCleanFromInput not capture SQL injection attempts, or must the developer always restrict input to specific, dedicated variables?

I notice there are several other functions in pnFlashGames that also do not include (int) in front of the cid, startnum or contid variables. Should these be adjusted as well, or was there something specific in the view function?

Thanks for any further insight.

Nolan
UHEweb

edited by: uheweb, May 01, 2007 - 12:07 PM

notify mod
Posted: 02.05.2007, 14:09

rank:

Steering Committee

registered:

December 2002

Status:

offline

last visit:

12.05.08

Posts:

13326

pnVarCleanFromInput() does not catch SQL injection attempts - it simply cleans restricted tags (and extraneous quotes added through magic_quotes) from the variable. It is the responsibility of pnVarPrepForStore() to protect against SQL injection and pnVarPrepHTMLDisplay()/pnVarPrepForDisplay() to handle cross site scripting attempts.

Developers are responsible for using the correct functions and relevent typecasting to protect against malicious input.

-----
Regards,
Simon

itbegins.co.uk - PostNuke Consulting

Please read the Support Guide

notify mod
Posted: 02.05.2007, 21:09

rank:

pnProfessional

registered:

June 2003

Status:

offline

last visit:

17.07.07

Posts:

1015

hey - any chance you could fix the high scores problem too?

notify mod
Posted: 04.05.2007, 03:56
rank:

pnFreshman

registered:

July 2006

Status:

offline

last visit:

14.01.08

Posts:

31
after applying the patch I get the following error on the user side:
Code
Error! Called unknown function: pnFlashGames_userapi_isbanned()
username => Admin
I also tried it with other users who are not admin and it gives the same statement.
(PN .764)
notify mod

Start :: Community :: General Chat :: Security Advisory pnFlashGames

Support Forum

Main Menu

Extensions Database

Documentation

Development

Login

Donate to PostNuke