View Single Post
Old 9th February 2006, 09:24
webstergd webstergd is offline
Join Date: Dec 2005
Location: Washington, DC
Posts: 53
Thanks: 0
Thanked 0 Times in 0 Posts

I talked with my friend about the problem and had him read the entire thread. He is firmilar with ISP Config and has looked at some of the source code before, just not an indepth look. To add weight to his opinion, I would feel comfortable saying he could easily be one of the best "security" programmers in the US. Graduated from harvard, headhunted by google to be a security programmer(he declined), and all that goodness.

The reply from my friend goes as follows:

all non user-typed form input should with the values as numbers. These should be validated against a list of allowable values, and then used as indexes into tables that retrieve filenames and such. That way the user never has the opportunity to "fuzz" any filenames that ever get accessed directly on your system.

I think my general policy is "if it ain't in a table you created and manage carefully, it should never find it's way into a URL".
I mean, in a system ideally designed for security from the ground up you should never have to pass anything to "escapeshellcmd" because there shouldn't be any way user input would ever end up outside of your script.

In response to rewriting escapseShellCmd:
Hmmm. I like your idea of having your own input validation function that's extensible where needed, and hopefully in some reusable module.

The important thing to make sure is that the user doesn't get to control which method their input is validated against, either. So don't make it a hidden variable on the form. it should be statically set by the developer.
In response to Tills whitelist filter for web[id]:
he said that it should do the trick. In simple terms, my friend didn't find any flaws with Tills filter for web[id]. :-)
Reply With Quote