Jump to content
MakeWebGames

The all-encompassing Mccode Security Thread

seanybob

By seanybob
in General Discussion

 Share

Recommended Posts

seanybob Newbie

seanybob

Posted
Posted

I think it's about time we (as a community) organized all the mccode security related threads on this engine. Immortal made a good start with his post in another thread in this section. (For reference, I'll post it below)

Not only would I like to compile a list of all the fixes in this forum, I'd like to think about / work on better methods of securing mccodes. For starters, take a look at this code below and tell me what you think/improvements/comments/questions/etc.

 


foreach($_POST as $k => $v)
{
if(is_numeric($_POST[$k]))
{
	//or intval or '+ 0' I'm not sure what the differences are between these options
	$_POST[$k] = abs((int) $_POST[$k]);
}
else
{
/*only allows letters, numbers, spaces, and periods. User input should not need anything else... unless you have profile images / signatures / forums / mailboxes or whatnot. I prefer getting rid of mccodes mailbox + forum system in favor of something more secure that I don't have to constantly update myself like smf or phpbb. To run a different function for mailbox, we could just add a variable at the top of the mailbox page (such as $mailbox=1;) and then use that flag to run a different function in here that parses bbcode and is a bit more lax*/
	$_POST[$k] = preg_replace("/[^A-Za-z0-9. ]/","", $_POST[$k]);  		
}
}
foreach($_GET as $k => $v)
{	
if(is_numeric($_GET[$k]))
{
	$_GET[$k] = abs((int) $_GET[$k]);
}
else
{
	$_GET[$k] = preg_replace("/[^A-Za-z0-9. ]/","", $_GET[$k]);  		
}
}

 

Post all your ideas/thoughts about securing this engine here, then I will make a new sticky thread with a compilation of the best we can come up with.

 

Joshua Newbie

Joshua

Posted
Posted

Ok since you asked nicely i'll do a search on all 4 forums i play around on and compile a list with my additional knowledge.

Though undoubtedly those will appear saying McCodes cant be secured :P

Joshua Newbie

Joshua

Posted
Posted

I did have an idea the other night though I'm not 100% it would work because there is no other PHP function that is the same as $_POST

 

Perhaps in global functions

$x = abs@(intval($_POST))

$y = mysql_real_escape_string($_POST)

 

then replace all get/posts with x and y defined on pages. Would speed things up if it would work right, though i'm sure someone will have something to say about it :P

Would if nothing else be a start.

seanybob Newbie

seanybob

Posted
  • Author
Posted
I did have an idea the other night though I'm not 100% it would work because there is no other PHP function that is the same as $_POST

 

Perhaps in global functions

$x = abs@(intval($_POST))

$y = mysql_real_escape_string($_POST)

 

then replace all get/posts with x and y defined on pages. Would speed things up if it would work right, though i'm sure someone will have something to say about it :P

Would if nothing else be a start.

That's kind of what I was thinking with the code I put in the first post too. Make a quick for loop that cycles through all get and post variables, and cleanse them, and put it in globals.php. the function is_numeric would tell you if it's a number or not, which tells you which cleansing function to use.

Joshua Newbie

Joshua

Posted
Posted

Could even do it like this

 

$_GET

---

$a=$_GET = isset($_GET) && !empty($_GET]) && ctype_digit($_GET)

$b=$_GET = isset($_GET]) && !empty($_GET) && ctype_alnum($_GET) ? $_GET : FALSE;

----

$_POST

--

$c=$_POST = mysql_real_escape_string(htmlentities($_POST));

$d=$_GET= abs(@intval($_GET));

*NOTE*

Even by putting just this in Global Functions it does absolutely nothing.

You would have to go to each script you have, decide whether it's a get or post and put the appropriate function

But it would get a few things done.

  • 2 months later...
Guest Null

Guest Null

Posted
Posted

I found this thread very useful in learning security. Thanks Immortal

Zeggy Newbie

Zeggy

Posted
Posted

Seanybob:

int() and +0 both have the same effect. Not sure about performance-wise but it should be negligible.

 

To run a different function for mailbox, we could just add a variable at the top of the mailbox page (such as $mailbox=1;) and then use that flag to run a different function in here that parses bbcode and is a bit more lax

Note that somebody could add the &mailbox=1 flag to any url and your header code will interpret that. This could lead to a vulnerability.

I'd recommend leaving out the regex for strings, and let that be used on a page by page basis instead.

Or rather than using a whitelist of characters, use a blacklist of characters instead. Then you can filter out the characters/strings that you are sure you do not want on ANY page. On certain pages that might need more security for strings, you can simply add to the blacklist.

Zero-Affect Newbie

Zero-Affect

Posted
Posted
$_GET

---

$a=$_GET = isset($_GET) && !empty($_GET]) && ctype_digit($_GET)

$b=$_GET = isset($_GET]) && !empty($_GET) && ctype_alnum($_GET) ? $_GET : FALSE;

----

$_POST

--

$c=$_POST = mysql_real_escape_string(htmlentities($_POST));

$d=$_GET= abs(@intval($_GET));

could use something along these lines maybe

 

// text ie: mail posting
       $_POST['post'] = ( isset($_POST['post']) AND !empty($_POST['post']) ) ? preg_replace("/[^A-Za-z0-9. ]/","", $_POST['post']) : '';
if (empty($_POST['post'])) {
echo 'section not available';
die;
}
else {
// content...
}

i am abit tired but that would something along the lines i'd use

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...