[Xerte] Quiz Security

[Patrick Lockley]

Hello,

I need to step through and sanitise the inputs / limit where scripts can
run from - though some of the security we expect people to handle
themselves. I've tried to make the code as basic as possible, and at
points, it does need to be more rigid with its checking.

The .htaccess is a possibility, but with version 1.0 we are likely to
have an apache free version to go with the XAMPP so I'm not sure what is
best at present on that front.

Thanks

Pat

-----Original Message-----
From: xerte-bounces at lists.nottingham.ac.uk
[mailto:xerte-bounces at lists.nottingham.ac.uk] On Behalf Of David Goodwin
Sent: 10 December 2008 14:26
To: Xerte discussion list
Subject: Re: [Xerte] Quiz Security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Patrick Lockley wrote:
> I always thought there would be.
> 
> Care to point out where? 
> 


For example :


modules/xerte/engine/upload.php : appears to use the user specified file
name in the resultant path (what if it contains ../ etc?)

setup: somehow needs disabling (e.g. creating a .htaccess file?) after
it's been run once

modules/xerte/engine/save.php : what if $_POST['filename'] contained ../
? could someone overwrite something they shouldn't be able to? It
blindly accepts $_POST['template_id'] in a DB query - should sanitise
it, else you risk sql injection....


thanks
David.


- --
 David Goodwin                          Pale Purple Limited
 Office: 0845 0046746                   Mobile: 07792380669
 http://www.palepurple.co.uk            Company No: 5580814
 'Business Web Application Development and Training in PHP'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFJP9Fq/ISo3RF5V6YRApG6AKCLR1GPHhv2V+zJa7fKrHzkoEA8EQCfb52X
yBQR6uD64adtPyt0drJOKLQ=
=lGsp
-----END PGP SIGNATURE-----
_______________________________________________
Xerte mailing list
Xerte at lists.nottingham.ac.uk
http://lists.nottingham.ac.uk/mailman/listinfo/xerte