Back to limesurvey.org

Welcome to the LimeSurvey Community Forum

Ask the community, share ideas, and connect with other LimeSurvey users!

Tainted strings

  • ollehar
  • ollehar's Avatar Topic Author
  • Offline
  • LimeSurvey GmbH Employee
  • LimeSurvey GmbH Employee
More
6 years 2 weeks ago - 6 years 2 weeks ago #179548 by ollehar
Tainted strings was created by ollehar
There's an extension available for PHP that lets you trace tainted strings. A tainted string is a string that is unsafe, not escaped, can include XSS or SQL injection, and so on. Here's the link:

secure.php.net/manual/en/book.taint.php

I managed to install it using this:
Code:
apt install php7.1-dev
pecl install taint

Then you have to edit php.ini:
Code:
extension=taint.so
taint.enable = 1
taint.error_level = E_ERROR

As an example I tried to view a question in LimeSurvey and got the following error:



The problem was that $qid is never escaped or cast to integer, but shown as-is in the PHP view file. It's easily solved by putting
Code:
$qid = (int) $qid;

in the controller.

Just a tip. :)
Attachments:
Last edit: 6 years 2 weeks ago by ollehar.
The topic has been locked.
  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • LimeSurvey Community Team & Official Partner
  • LimeSurvey Community Team & Official Partner
More
6 years 2 weeks ago #179561 by DenisChenu
Replied by DenisChenu on topic Tainted strings
False positive ?

sid + gid + qid are always filtered and send 403 if it's not numeric without 0 starting.
github.com/LimeSurvey/LimeSurvey/blob/9b...mmon_Action.php#L148
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member. - Professional support - Plugins, theme and development .
I don't answer to private message.
The topic has been locked.
  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • LimeSurvey Community Team & Official Partner
  • LimeSurvey Community Team & Official Partner
More
6 years 2 weeks ago #179564 by DenisChenu
Replied by DenisChenu on topic Tainted strings
False positive, no ?
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member. - Professional support - Plugins, theme and development .
I don't answer to private message.
Attachments:
The topic has been locked.
Moderators: holchtpartner

Lime-years ahead

Online-surveys for every purse and purpose

Pricing & Plans
Get started

Legal

About Us

Open Source