Hello all,
Since this is the first time I am posting to this list, let me first
introduce myself. I am Dietrich Moerman, a computer science student from
Belgium (that's the small country known for its chocolates ;)). In my
free time, I develop the UseBB forum package. Version 1, written in PHP
4, has been developed and available since early 2004, while version 2
(object-oriented PHP 5.2) is currently under development. Especially the
last few years, I have been very aware about security and performance
problems, also thanks to Ilia Alshanetsky's talks available at his website.
However, recently we have been plagued by a few false reports spread
about so called "vulnerabilities" in UseBB 1. Announcements have been
made to explain the exact situation and to recover from the damage being
done as much as possible. But... what I have found yesterday beats it all.
A recent talk from Ilia about PHP security pitfalls
(http://ilia.ws/files/phptek2007_secpitfalls.pdf) mentions "useBB"
(wrong capitalization, btw) containing exploitable code. The "offending"
code was found using Google Code Search and used to demonstrate SQL
injection in PHP.
First, let me clearly state that there are at this time no known
vulnerabilities or exploitable code in UseBB 1. The code which is said
to be exploitable is not exploitable at all. Ilia failed to check the
code for security measures, if he did he should have noticed that the
GET variable can only contain strings with pure integer values ($string
== strval(intval($string))). Next to this, all input variables (GET,
POST, COOKIE) should be safe against SQL injection.
Second, if Ilia was convinced he had found a security issue in UseBB 1,
why did he not contact us about it? I thought it was common sense that
the first thing you do when having found an issue is contacting the
developers and awaiting a fix, before releasing any public information.
So, why am I posting this? Mainly to recover from any damage being done.
I know PHPTek 2007 is visited by lots of capable PHP developers, some of
them who also read php.internals, and many (if not all) of them have
been falsely informed about UseBB being a forum system of which the
developer(s) don't care about security and have their code full of SQL
injection possibilities. Only the exact opposite is true.
I also question myself whether it is a good idea to just pick random
vulnerable code found using Google code search and place it in much read
talks about security on a public website without contacting any
developer or awaiting any fix. I know PHP has a bad reputation
concerning security, mostly because of the many badly written
applications, but randomly putting projects in a bad daylight because of
some "this looks like vulnerable" code won't help that much, in the
contrary.
So, if there are any PHP developers in here who have been badly informed
about UseBB, I can only hope their vision about our project will be
adjusted. And if any other people here tend to write talks about
security containing example pieces of code from real Open Source
projects, first do some research and if necessary contact the
developer(s), or else just leave the name of the project out.
Regards,
Dietrich Moerman
UseBB Developer
Student Computer Science
http://dmoerman.be
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php