I finally got around to patching several enviromental variable vulnerabilities in Partholan. These were already known about but on the long finger since early versions were changing so much. I have added a small class with static methods for cleaning up such variables – the contents of $_SERVER to be precise which should remove any vulnerabilities where such variables are utilised. For example, since $_SERVER['PHP_SELF'] can be easily overwritten on many Apache installations (via a mod_rewrite style method of appending variables to a URI) we now use:

$phpself = basename(__FILE__);
$_SERVER[‘PHP_SELF’] = substr($_SERVER[‘PHP_SELF’], 0, strpos($_SERVER[‘PHP_SELF’], $phpself)) . $phpself;

This splits off any unwanted tag along variables that may have been injected into the variable.

Also cleaning up several others, validating IPs (properly – see the ip2long() function), etc. We’re gradually but surely working up the security ladder. There is definitely several more areas needing attention – the goal is to complete all security measures prior to a fully publicised release of QSE or Partholan.

No related posts.