The DBLayer Trapping anti-SQL-Injection of Protector-3.30 with XOOPS2 raises a "SQL Injection" alert at updating preferences including doublequatation(").
This wrong detection is caused by the wrong way to escape SQL.
class/database/mysqldatabase.php
function quoteString($str)
{
$str = "'".str_replace('\\"', '"', addslashes($str))."'";
return $str;
}
function quoteString($str)
{
$str = "'".str_replace('\\"', '"', addslashes($str))."'";
$str = "'".mysql_real_escape_string($str)."'";
return $str;
}
We have to know comparing doubtful requests and all SQLs in the DB Layer have to pay not a few CPU band.
Then, we can override the DB Layer only when "attackable requests" has come.
Almost all HTTP requests never have such "attackable requests".
This logic make it compatible the speed and the security.
My protector find "attackable requests" by this pattern (perl regex formatted):
/(information_schema|select|'|")/i
'OR 1#
To Compare request and SQL, we have to override DB layer.
With XOOPS, this will be implemented as a modification for databasefactory.php because the database factory class looks too rigid.
This is my modification.
It might be not the best way, but better way for adopted by each core teams of XOOPS forks/folks.
class/database/databasefactory.php
require_once $file;
/* patch from */
if ( defined('XOOPS_DB_ALTERNATIVE') && class_exists( XOOPS_DB_ALTERNATIVE ) ) {
$class = XOOPS_DB_ALTERNATIVE ;
} else /* patch to */if (!defined('XOOPS_DB_PROXY')) {
$class = 'Xoops'.ucfirst(XOOPS_DB_TYPE).'DatabaseSafe';
} else {
$class = 'Xoops'.ucfirst(XOOPS_DB_TYPE).'DatabaseProxy';
}
$instance =& new $class();
I've shocked just by looking inside of the archive of xoops-2.3.2b.
They put XOOPS_TRUST_PATH folder inside htdocs/ !
(They renamed xoops_trust_path into xoops_lib. this fact also shows us they didnot understand the meaning of XOOPS_TRUST_PATH)
Moreover, there are no .htaccess under the folder xoops_lib/
I suspect my eyes.
mamba had reported LFI in the file under XOOPS_TRUST_PATH.
This is another evidence they cannot understand the meaning of inside/outside DocumentRoot.
When mamba said "I fixes Protector", I replied "Such a patch is non-sense".
This report proves mamba's patch was just non-sense.
http://www.milw0rm.com/exploits/7705
You should interpret the report is not an exploit of Protector itself but just XOOPS-2.3.2.
Anyway, phppp and developpers of xoops.org should do right now:
Put xoops_lib(XOOPS_TRUST_PATH) ouside of htdocs.
Learn the meanining of inside/outside DocumentRoot.
Read how to install Protector V3 again and again!
If you cannot do that or cannot understand what I mean, remove Protector from your archive.
Your wrong structure of the archive gave me pain.
My module -Protector- is useful for protecting all XOOPS forks/folks from maricious attacks as long as the module is installed rightly.
There are a lot of XOOPS modules or PHP applications with SQL Injection still.
Protector can protect some patterns of SQL Injections.
It is just "some" instead of "all".
That's because Protector cannot distinguish attacks and fair requests just by REQUEST layer.
A word of "UNION" will be posted as "UNI-ON".
Such modification in REQUEST layer must be non-sense.
Then, Protector should judge them by both REQUEST layer and DB layer.
anti-XSS:
(a) doubtful requests are found
(b) ob_start()
(c) compare requests and outputs
SQL Injection:
(1) doubtful requests are found
(2) override DB layer
(3) compare requests and SQLs
It is not easy to implement (3) because Protector have to parse SQLs.
However, (2) will be the most problem for XOOPS.
Because there are no way to override DB layer.
I will suggest DB layer modification can be overridden for all core teams in the next entry.
This idea is based on JM2. (four years ago!)
He is the real hero for XOOPS