Yii Framework Forum: Acunetix Software Instead Of Numeric And String Parameters, Sends An Array - Yii Framework Forum

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Acunetix Software Instead Of Numeric And String Parameters, Sends An Array Rate Topic: -----

#1 User is offline   za_al 

  • Junior Member
  • Pip
  • Yii
  • Group: Members
  • Posts: 53
  • Joined: 06-March 12

Posted 13 September 2012 - 05:24 AM

Hi All dear

I've tested my site with the Acunetix software.


One of the types of HTTP requests that the Acunetix software sends.

Acunetix Software instead of numeric and string parameters, sends an array.for example:

true quey string:(username is string)

http://localhost/yii/framework/apa/index.php?r=site/login & username=test


Acunetix's request:

http://localhost/yii/framework/apa/index.php?r=site/login & username[]=test


Acunetix's request send username[] as array.but Program is waiting for a string.

finally Occurs the Error Page.This page contains an error/warning message that may disclose sensitive

information.The message can also contain the location of the file that produced the unhandled exception.

I solve this problem whith:


 class LoginForm extends CFormModel
{
   .....    
   protected function beforeValidate() {
       if(
        !is_string($this->username)||
        !is_string($this->password)

               )
       {
	  throw new CHttpException(400,'Invalid request.');
       }
       parent::beforeValidate();
         return true;
       
   }
}



but for r parameter.Software following a request sent to the site:

http://localhost/yii/framework/apa/index.php?r[]=site/index



Parameter r is array Instead string.

Occurs the following error:

Quote

trim() expects parameter 1 to be string, array given


In your opinion, what is the solution for this error?
0

#2 User is offline   Y!! 

  • Advanced Member
  • Yii
  • Group: Yii Dev Team
  • Posts: 978
  • Joined: 18-June 09

Posted 13 September 2012 - 06:01 AM

Back on googlecode there was a ticket about this. As far as I remember the result was to not fix such issues caused by manipluation. Main reason is YII_DEBUG should be set to false in production - that means no information will be exposed. So in this case type-checking all the "vulnerable" code-parts is kind of redundant since the method signature already defines which types are allowed and which don't. Also type-checking would add a little overhead.

Keep in mind you are free to customize the yii error page to a more user friendly version.
0

#3 User is offline   za_al 

  • Junior Member
  • Pip
  • Yii
  • Group: Members
  • Posts: 53
  • Joined: 06-March 12

Posted 13 September 2012 - 08:25 AM

View PostY!!, on 13 September 2012 - 06:01 AM, said:

Back on googlecode there was a ticket about this. As far as I remember the result was to not fix such issues caused by manipluation. Main reason is YII_DEBUG should be set to false in production - that means no information will be exposed. So in this case type-checking all the "vulnerable" code-parts is kind of redundant since the method signature already defines which types are allowed and which don't. Also type-checking would add a little overhead.

Keep in mind you are free to customize the yii error page to a more user friendly version.



tanx for your reply

I changed my previous function as follows:

class LoginForm extends CFormModel
{
   .....    
   protected function beforeValidate() {
       if(
        is_array($this->username)||
        is_array($this->password)

               )
       {
          throw new CHttpException(400,'Invalid request.');
       }
       parent::beforeValidate();
         return true;
       
   }
}


An error itself may not be important.But hackers can take advantage of combine these errors.

Do you think there is a better solution?
0

#4 User is offline   Y!! 

  • Advanced Member
  • Yii
  • Group: Yii Dev Team
  • Posts: 978
  • Joined: 18-June 09

Posted 13 September 2012 - 12:47 PM

View Postza_al, on 13 September 2012 - 08:25 AM, said:

An error itself may not be important.But hackers can take advantage of combine these errors.

Do you think there is a better solution?



How can they take advantage?

I think it's fine the way it is.
0

#5 User is offline   za_al 

  • Junior Member
  • Pip
  • Yii
  • Group: Members
  • Posts: 53
  • Joined: 06-March 12

Posted 02 October 2012 - 05:17 AM

View PostY!!, on 13 September 2012 - 12:47 PM, said:


How can they take advantage?



for example of error:


htmlspecialchars() expects parameter 1 to be string, array given



Hacker found that parameter validation function is htmlspecialchars.If the function have a bug. Could use it bug.



I've found a better solution:

Turn off all error reporting on server:


error_reporting(0);



But I do not know how to set it in Yii.
0

#6 User is offline   samdark 

  • Having fun
  • Yii
  • Group: Yii Dev Team
  • Posts: 3,615
  • Joined: 17-January 09
  • Location:Russia

Posted 02 October 2012 - 05:46 AM

Just remove define('YII_DEBUG', true) from your index.php.
Yii 1.1 Application Development Cookbook

Enjoying Yii? Star us at github: 1.1 and 2.0.
0

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users