[za_al]

Hi All dear

I've tested my site with the Acunetix software.


One of the types of HTTP requests that the Acunetix software sends.

Acunetix Software instead of numeric and string parameters, sends an array.for example:

true quey string:(username is string)

http://localhost/yii/framework/apa/index.php?r=site/login & username=test

Acunetix's request:

http://localhost/yii/framework/apa/index.php?r=site/login & username[]=test

Acunetix's request send username[] as array.but Program is waiting for a string.

finally Occurs the Error Page.This page contains an error/warning message that may disclose sensitive

information.The message can also contain the location of the file that produced the unhandled exception.

I solve this problem whith:

 class LoginForm extends CFormModel
{
   .....    
   protected function beforeValidate() {
       if(
        !is_string($this->username)||
        !is_string($this->password)

               )
       {
	  throw new CHttpException(400,'Invalid request.');
       }
       parent::beforeValidate();
         return true;
       
   }
}

but for r parameter.Software following a request sent to the site:

http://localhost/yii/framework/apa/index.php?r[]=site/index

Parameter r is array Instead string.

Occurs the following error:

Quote

trim() expects parameter 1 to be string, array given

In your opinion, what is the solution for this error?

[Y!!]

Back on googlecode there was a ticket about this. As far as I remember the result was to not fix such issues caused by manipluation. Main reason is YII_DEBUG should be set to false in production - that means no information will be exposed. So in this case type-checking all the "vulnerable" code-parts is kind of redundant since the method signature already defines which types are allowed and which don't. Also type-checking would add a little overhead.

Keep in mind you are free to customize the yii error page to a more user friendly version.

[za_al]

Y!!, on 13 September 2012 - 06:01 AM, said:

Back on googlecode there was a ticket about this. As far as I remember the result was to not fix such issues caused by manipluation. Main reason is YII_DEBUG should be set to false in production - that means no information will be exposed. So in this case type-checking all the "vulnerable" code-parts is kind of redundant since the method signature already defines which types are allowed and which don't. Also type-checking would add a little overhead.

Keep in mind you are free to customize the yii error page to a more user friendly version.

tanx for your reply

I changed my previous function as follows:

class LoginForm extends CFormModel
{
   .....    
   protected function beforeValidate() {
       if(
        is_array($this->username)||
        is_array($this->password)

               )
       {
          throw new CHttpException(400,'Invalid request.');
       }
       parent::beforeValidate();
         return true;
       
   }
}

An error itself may not be important.But hackers can take advantage of combine these errors.

Do you think there is a better solution?

[Y!!]

za_al, on 13 September 2012 - 08:25 AM, said:

An error itself may not be important.But hackers can take advantage of combine these errors.

Do you think there is a better solution?

How can they take advantage?

I think it's fine the way it is.

[za_al]

Y!!, on 13 September 2012 - 12:47 PM, said:

How can they take advantage?

for example of error:

htmlspecialchars() expects parameter 1 to be string, array given

Hacker found that parameter validation function is htmlspecialchars.If the function have a bug. Could use it bug.



I've found a better solution:

Turn off all error reporting on server:

error_reporting(0);

But I do not know how to set it in Yii.

[samdark]

Just remove define('YII_DEBUG', true) from your index.php.