Forums

Unfortunately no one can be told what FluxBB is - you have to see it for yourself.

You are not logged in.

#1 2019-09-12 22:18:51

JJones
Banned
Registered: 2019-04-28
Posts: 63

Suggest removing stripslashes in a loop

This function is widely redundant ..

function stripslashes_array(

Suggest replacing it in the common.php with an alternative:

$_GET = !empty($_REQUEST)?array_merge($_GET, $_REQUEST):!empty($_GET)?$_GET:array();
$_REQUEST = array();
$_GET = !empty($_GET)?array_filter(filter_input_array(INPUT_GET, FILTER_SANITIZE_STRING | FILTER_SANITIZE_EMAIL)):array();
$_POST = !empty($_POST)?array_filter(filter_input_array(INPUT_POST, FILTER_SANITIZE_EMAIL)):array();

LOOK! No LOOPS!

Anyone got a faster method???

NOTE: do NOT use FILTER_SANITIZE_STRING against $_POST blindly if you have multi-lingual support. However FILTER_SANITIZE_EMAIL will remove slashes $_POST should be pre-filtered for exactly what you want and dump everything else.

Last edited by JJones (2019-09-12 22:22:20)

Offline

#2 2019-09-12 22:27:07

Franz
Lead developer
From: Germany
Registered: 2008-05-13
Posts: 6,721
Website

Re: Suggest removing stripslashes in a loop

This also isn't relevant anymore on the latest master.


fluxbb.de | develoPHP

"As code is more often read than written it's really important to write clean code."

Offline

#3 2019-09-12 22:47:04

JJones
Banned
Registered: 2019-04-28
Posts: 63

Re: Suggest removing stripslashes in a loop

i don't see ANY filtering of ANY type on the master! Do i have the correct link: https://github.com/fluxbb/fluxbb?

Offline

#4 2019-09-13 11:37:15

Franz
Lead developer
From: Germany
Registered: 2008-05-13
Posts: 6,721
Website

Re: Suggest removing stripslashes in a loop

That filtering was only relevant for PHP's deprecated "magic quotes" functionality. See this commit.


fluxbb.de | develoPHP

"As code is more often read than written it's really important to write clean code."

Offline

#5 2019-09-13 12:00:18

JJones
Banned
Registered: 2019-04-28
Posts: 63

Re: Suggest removing stripslashes in a loop

lol... you think that filtering inputs is only relevant to GPC? Please let me know when the next update is released without filter protection .... I bet you i am going to find some nasty security exploits.

There are a lot more ways to do nasty things to websites without having to use $_POST

Last edited by JJones (2019-09-13 12:08:03)

Offline

#6 2019-09-13 12:24:57

Franz
Lead developer
From: Germany
Registered: 2008-05-13
Posts: 6,721
Website

Re: Suggest removing stripslashes in a loop

You are again spreading FUD.

Assuming that most installs of PHP have magic quotes disabled (as they should), then how is this different from the same code in the latest released version?

This isn't some form of generic input filtering, and it is by far not the only filtering we have in our codebase. It is only meant to work around the magic quotes functionality, which was flawed by design.


fluxbb.de | develoPHP

"As code is more often read than written it's really important to write clean code."

Offline

#7 2019-09-13 12:39:38

JJones
Banned
Registered: 2019-04-28
Posts: 63

Re: Suggest removing stripslashes in a loop

lol... i will make a clear and public BET here and now .... showing you at least 3 security flaws upon next release ... you point me to a domain using that modification, and i will have it broken within 45 seconds.

Rules of the BET

1) You can not all of a sudden decide to incorporate a .htaccess file in the root at the least moment of the update

2) You will have to provide ANY 1 domain that is actually using that version.

I am so confident that I will be able to delete at least 20% of the files on that domain that these are my "earnings" of the Bet:

1) You will have to make a public announcement on these forums as a sticky telling everyone that your "Masters Degree" was basically a waste of your life and your school.

2) You will have to address me by the name of "Your God" from that moment to the end of your life.
Since this is the second time you used the term "FUD" again .... now i am going to make you eat those words in front of all of your associates.

There is no point in me explaining what the difference is ( you wont actually learn from it ) ... you "MADE" your decision and then issued a challenge FIRST ...and then issued a challenge.

With that said... CHALLENGE ACCEPTED! Do you agree to the terms of the bet?

Last edited by JJones (2019-09-13 12:40:49)

Offline

#8 2019-09-13 12:44:43

Franz
Lead developer
From: Germany
Registered: 2008-05-13
Posts: 6,721
Website

Re: Suggest removing stripslashes in a loop

Have fun trying it out on these forums. Magic quotes are disabled on this server, so the stripslashes code is disabled.


fluxbb.de | develoPHP

"As code is more often read than written it's really important to write clean code."

Offline

#9 2019-09-13 12:46:17

JJones
Banned
Registered: 2019-04-28
Posts: 63

Re: Suggest removing stripslashes in a loop

You are giving me permission to maliciously attack this website? Just to be clear, the exploitation has nothing to do with GPC ..... it has everything to do with INPUT filtering ....

do NOT confuse INPUT with $_POST exclusively!

PS: Screenshot to maintain a history log of your stupidity & pride which just caused harm to your associates, forgetting the fact that you would risk their work over your pride! ( With friends like you, who needs an enemy? )

Screenshot-243.png

Last edited by JJones (2019-09-13 12:57:05)

Offline

#10 2019-09-14 07:16:06

Otomatic
FluxBB Donor
From: Paris - France
Registered: 2010-01-26
Posts: 574
Website

Re: Suggest removing stripslashes in a loop

Banishing JJones is a very lenient sanction. As far as I'm concerned, it's been a long time since this user would have been deleted and so would these messages.


Ce n'est pas parce que l'erreur se propage qu'elle devient vérité. Ghandi
An error does not become truth by reason of multiplied propagation. Ghandi

Offline

#11 2019-09-16 19:59:03

GWR
Member
From: Germany
Registered: 2010-08-06
Posts: 214

Re: Suggest removing stripslashes in a loop

Skipping the part with the bet, arrogance and potentially missing information on what exactly he was talking about:

If he was sure that the code he investigated (can be more than what he "marked" here) contains a flaw if some changes are not done - why not think about what he could have been meaning?
Assume he warned about some lines here - but already had some others in mind too. He shouted here and at the end it resulted in a ban - so we cannot clarify what exact code lines he thinks are adding the security flaw.

Means a look at how input sanitization/checks are done now cannot be wrong.


bye
Ron

Last edited by GWR (2019-09-16 19:59:15)

Offline

#12 2019-09-18 12:24:18

JJones
Banned
Registered: 2019-04-28
Posts: 63

Re: Suggest removing stripslashes in a loop

LOL ... the BET was the best part!!!

If the Administration wishes to be honest ( which they aren't ) the Exploits were already exposed. In fact, one of the three that i mentioned, have been listed as active exploits on FluxBB since version 2013.

As per the Email Exploit, We will just have to wait for his Host to contact him since this server sent a nasty little email to IC3. As i stated, I ACCEPTED the CHALLENGE. ( Relax, the email exploit was only barely legal, but was enough to raise some eyebrows and get your attention. However the exploits themselves were listed under the CMS Security Review ( they are just one of many groups that evaluate security for Content Management Systems )...

As per the "other exploits", as i've stated, go back to 2013. At least half of the exploits were only patched on this specific website through use of HTACCESS, however nobody ever bothered to release an example .htaccess file with the download distribution. But you can guarantee that the 2.0 version of FluxBB will be much worse over time. ( This is why he wanted me to "have fun" with this website, which is exactly what i did ).

LOL... If the Dev team had a clue as to what they were doing, those exploits would have been patched YEARS ago.

Offline

#13 2019-09-18 22:05:22

Franz
Lead developer
From: Germany
Registered: 2008-05-13
Posts: 6,721
Website

Re: Suggest removing stripslashes in a loop

I will close this thread, as it has deviated far from the original topic and is obviously not getting any better.

For the record:
- There are no known security issues in the latest version of FluxBB.
- We ask users and other interested parties to disclose security issue responsibly as described on our contact page.


fluxbb.de | develoPHP

"As code is more often read than written it's really important to write clean code."

Offline

Board footer

Powered by FluxBB