Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix CWE errors #58

Merged
merged 4 commits into from
Jul 13, 2020
Merged

Fix CWE errors #58

merged 4 commits into from
Jul 13, 2020

Conversation

lordealeister
Copy link
Contributor

Fixes some vulnerabilities pointed out by Veracode.

@lordealeister
Copy link
Contributor Author

Hi @lordealeister, do you plan to create a PR for it? :-) It looks great to me.

Hello. Yes, I just created it. :)

@f3l1x f3l1x merged commit 425cb49 into f00b4r:master Jul 13, 2020
@f3l1x
Copy link
Member

f3l1x commented Jul 13, 2020

Excellent! Thx.

Copy link
Contributor

@IMSoP IMSoP left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While this was clearly well-intentioned, I think this PR has several serious issues. I suggest reverting it and subjecting future attempts to more careful testing and review.

$ret_val = ob_get_contents();
ob_end_clean();
return $ret_val;
}

function sanitize($value) {
return htmlspecialchars(strip_tags($value), ENT_COMPAT, 'utf-8');
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Running both strip_tags and htmlspecialchars doesn't make much sense. In general, trying to write an all-purpose "sanitize" method is a bad idea: escaping should be related to the context where you're outputting or using something.

echo '<input type="hidden" name="proxyhost" value="' . $client->sanitize($proxyhost) .'">';
echo '<input type="hidden" name="proxyport" value="' . $client->sanitize($proxyport) .'">';
echo '<input type="hidden" name="proxyusername" value="' . $client->sanitize($proxyusername) .'">';
echo '<input type="hidden" name="proxypassword" value="' . $client->sanitize($proxypassword) .'">';
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should probably just use htmlspecialchars directly, because we shouldn't be changing the value, just escaping it for the browser.

@@ -908,11 +908,15 @@ function getmicrotime()
function varDump($data)
{
ob_start();
var_dump($data);
var_dump($this->sanitize($data));
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

$data here is not guaranteed to be a string. We also don't have an output context here, so escaping is inappropriate - it might never be displayed in an XML or HTML context.

@@ -2714,13 +2718,13 @@ function setCredentials($username, $password, $authtype = 'basic', $digestReques
$A1 = $username . ':' . (isset($digestRequest['realm']) ? $digestRequest['realm'] : '') . ':' . $password;

// H(A1) = MD5(A1)
$HA1 = md5($A1);
$HA1 = password_hash($A1, PASSWORD_DEFAULT);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Digest Authentication is specified to use MD5 hashes, we can't simply substitute a different algorithm.

@@ -8433,7 +8410,7 @@ function __construct($cache_dir='.', $cache_lifetime=0) {
* @access private
*/
function createFilename($wsdl) {
return $this->cache_dir.'/wsdlcache-' . md5($wsdl);
return $this->cache_dir.'/wsdlcache-' . password_hash($wsdl, PASSWORD_DEFAULT);
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not a security hash, so password_hash is inappropriate - password hashing is designed to be slow, but in this case we want something fast. md5 is still perfectly appropriate for this kind of use.

@@ -8497,15 +8474,15 @@ function get($wsdl) {
* @access private
*/
function obtainMutex($filename, $mode) {
if (isset($this->fplock[md5($filename)])) {
if (isset($this->fplock[password_hash($filename, PASSWORD_DEFAULT)])) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As above, this is not a secure hash, md5 is fine.

}
} elseif ($this->wsdl) {
$this->debug("In service, return Web description");
print $this->wsdl->webDescription();
print $this->sanitize($this->wsdl->webDescription());
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a huge breaking change: HTML documentation can be embedded in WSDL files, and this completely breaks its display.

@f3l1x
Copy link
Member

f3l1x commented Jul 17, 2020

Because this PR introduced some unexpected behaviour and revert it and bump v0.9.10 (https://github.com/pwnlabs/nusoap/releases/tag/v0.9.10).

We need to dig deeper.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

3 participants