vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   vBulletin 3 Articles (https://vborg.vbsupport.ru/forumdisplay.php?f=187)
-   -   [Tips] Writing more secure hacks (https://vborg.vbsupport.ru/showthread.php?t=74503)

Revan 01-16-2005 10:00 PM

[Tips] Writing more secure hacks
 
I decided to write this because I am bored, and because I felt like sharing something that may be useful to people writing modifications to vBulletin code.
Now I realise that some of this may be obvious to you, but I am still young enough to remember myself asking questions that is now common sense to me.
Enough banter, onto the good stuff! ;)
  1. Use vBulletin's globalize() when parsing GET/POST data

    This can be useful not only for avoiding SQL Injections, it also saves you trouble by running intval() on things that really HAVE to be of integer, etc.


  2. If you find you cannot use globalize(), use it's functions anyways

    For instance, I have an array consisting of arrays. I have an array of items, which each contains an array of values. All of this needs to be updated in the SQL.
    Trying to use "=> INT" , "=> STR" or anything, results in errors.
    You have to use blank datatype (IE no "=>").
    It is then adviced to, inside the SQL query, run the functions globalize() normally would run.
    The globalize() is located in the file /includes/functions.php (Thanks deathemperor :))


  3. When running globalize(), use "=> STR_NOHTML" if HTML is not needed.

    Not too much to comment on this, the only possible security issue this would pose was if this function was run in a /modcp/ file, and the moderator had an urge to run some JavaScript he shouldn't... :ermm:


  4. Always match up GET/POST values against stored values

    For instance, if you have a Shop mod, do not directly update the user's cash based on the cost of the item bought.
    Adding another check to a variable containing the amount of cash an user got will pevent users from being able to go into negative amounts.
    Now you may think "but he *will* go into negative amounts so he *will* have to pay". True as that may be, if they exploited it once, do you think they will go "Ok, I got my item. I must now go pay the cost and never exploit this again"?
    Neeeh... ;)


  5. Do not think POST is safe

    Even if you use POST to prevent the above exploit, it will only fool the most basic of users.
    Not only is it easy to make it accept GET values simply by using something like "script.php?select=name&cash=1000", but Firefox browser even has an extension called "Web Developer", which allows you to convert POST to GET and vice versa.


  6. Never ever directly use variables containing strings in SQL queries.

    addslashes() is your friend. If your completely unable to run anything of the above, at least run this.
    (Thanks KirbyDE :))


  7. Never ever assume an integer, especially one that comes from an input, is actually an integer.

    intval() is also your friend.
    (Thanks sabret00the :))


  8. Ready to leave vB's safe haven?

    Security Notes. This is a great piece of reading, thoroughly explaining all advice given and doesn't use language assuming we are all developers of the PHP program itself.
    (Thanks Guy G :))


(This is possibly incomplete. I cannot think of anything more at the time of writing. Feel free to comment on things to add! :))

Andreas 01-17-2005 08:32 AM

6. Never ever directly use variables containing strings in SQL queries. Always use addslashes().

sabret00the 01-17-2005 09:16 AM

7. run integers through
PHP Code:

intval() 

before you echo them out into the query

deathemperor 01-17-2005 12:33 PM

globalize() is on functions.php I believe, it stores all golbal functions, if a functions was written for newpost then it should be in function_newpost.php or similar,

nice tips Revan.

Guy G 01-17-2005 06:31 PM

Here is another excellent about security of your scripts(PHP in general):
http://forums.devshed.com/t20525/s.html

Revan 01-19-2005 07:41 PM

Quote:

Originally Posted by KirbyDE
6. Never ever directly use variables containing strings in SQL queries. Always use addslashes().

Added, thanks :)

Quote:

Originally Posted by sabret00the
7. run integers through
PHP Code:

intval() 

before you echo them out into the query

Same as above :p

Quote:

Originally Posted by deathemperor
globalize() is on functions.php I believe, it stores all golbal functions, if a functions was written for newpost then it should be in function_newpost.php or similar,

nice tips Revan.

Again... :p

Quote:

Originally Posted by Guy G
Here is another excellent about security of your scripts(PHP in general):
http://forums.devshed.com/t20525/s.html

And for the last time in this post: Thanks
XD


//peace


All times are GMT. The time now is 06:53 PM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01229 seconds
  • Memory Usage 1,734KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (2)bbcode_php_printable
  • (4)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (6)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 

Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete