[ext 4.0.2a] Security flaw in the php sample

[olivierpons]

Hi,

I'm sorry I didn't know where to post this kind of problem, so I went to the "bug" Section.

In this file :

Code:

./examples/writer/remote/lib/application_controller.php

In the dispatch() function code, you can read :

Code:

 20         if ($request->action) {
 21             return $this->{$request->action}();
 22         }

This means that if someone tries to access to functions he/she shouldn't access, he/she can send a request which will access to those functions.
This may lead to a security flaw (imagine if someone creates a child class of ApplicationController that has a function like "authenticate()" ), someone from the outside could send a request which will access to this function (create a POST with an "action" variable that has the value "authenticate") and, for example try a brute force attack.

This code implies that all the descendants have to sanitize the input ($request) before calling the dispatch() function.

Maybe a big warning in the comments is missing?

Tell me if I'm wrong, and if so, I apologize.

[evant]

The server side code is just used to drive the examples, it's obviously your application code should use something more secure.

[olivierpons]

You're right. This is just an example, because this is much worse:

Code:

./examples/writer/app.php

Code:

 10     require('remote/app/controllers/' . $request->controller . '.php');

Thank you for your answer,

Olivier.