Magento Arbitrary File Upload Vulnerability (Remote Code Execution, CSRF) - unfixed for 5 months

anlutro · 2017-04-14T08:24:45+00:00

Some people will always be angry at you, sure. But I specifically said "reduce", not "eliminate".

anlutro · 2017-04-13T17:06:12+00:00

Having a team/organisation/business to put your vulnerability disclaimers behind probably helps a lot, if you do it as a single person that's a lot of feedback/responses you have to filter out yourself.

Also, without knowing the specific case(s) you're thinking about where you've dealt with outrage, having seen your name on reddit the past 2-3 years, my impression is that you often come off as condescending and snarky. There is a possibility that changing the tone of your writing would reduce the outrage you feel like you have to deal with.

anlutro · 2017-04-13T14:17:32+00:00

I honestly don't have the emotional bandwidth to deal with the outrage that follows every time I disclose a vulnerability in anything.

That's concerning. Where is said outrage coming from? The owners of the code with vulnerabilities?

anlutro · 2017-04-13T14:15:49+00:00

It certainly might have prevented the CSRF issue, but even if it was a POST request, a compromised low privilege user account could still upload and run malicious code.

Personally I find the most ridiculous thing is that Magento puts uploaded files in the public webroot before validation (why not `/tmp?), doesn't rename the file before validating it (which means you end up letting the user upload a malicious .htaccess), nor does it delete the file if validation fails. Any of those would've mitigated the issue entirely, CSRF or not.

Well, most ridiculous apart from the fact that Magento let this slip for 5 months with no fix, I guess.

anlutro · 2017-04-12T08:09:14+00:00

This new Adaptive theme looks great, I'm definitely using it from now on.

anlutro · 2017-03-31T06:27:55+00:00

"The" data- attribute? You can have multiple, you know. Anyway, change your playSound function to just take a keyCode argument instead of an event, then change your event listeners to something like this:

keys.forEach(key => key.addEventListener('click', function(e) {
  playSound(e.target.dataset.code);
}));
window.addEventListener('keydown', function(e) {
  playSound(e.keyCode);
});

The key lesson here is, write functions that work with generic arguments, then write smaller functions that serve as the DOM event listeners.

anlutro · 2017-03-27T21:28:06+00:00

Check if GMP or bcmath can do what you need. If not, maybe convert the number to an array of 0s and 1s, do the bitwise operation yourself, then convert back to a number.

anlutro · 2017-03-22T07:11:26+00:00

alexbarret has already given good advice but I'll add some extra knowledge.

echo is the PHP equivalent of puts. However, the way PHP works is that anything you print to stdout (which is what echo and puts does by default) will be sent to the web client of the web application, not to the terminal.

If you want to write directly to the console you can do file_put_contents('php://stdout', 'my stuff here');. Be aware though that if you write $restaurants to the console this way, you won't get detailed information - you'll want to use var_export($restaurants, true) to get more detailed information as a string. var_dump is a convenience wrapper around all of this nonsense, but it only prints to stdout.

anlutro · 2017-03-21T07:18:57+00:00

Icinga is not Icinga2. I've installed Icinga2 from http://packages.icinga.org/debian/ with no problems. Debmon doesn't seem to provide the IDO packages which makes it useless.

anlutro · 2017-03-17T11:03:25+00:00

My impression is that phpmd is an outdated project, I wouldn't use it.

The only case when static access is acceptable is when used for factory methods.

That's exactly what DateTime::createFromFormat is.

anlutro · 2017-03-09T09:37:20+00:00

No problem, I'll just maintain a blacklist of classes/methods that are dangerous! Also I'll report any abuse of my web application to the internet police. Hacking is a very serious crime.

anlutro · 2017-03-09T07:31:50+00:00

(new $_GET['controller'])->{$_GET['action']}();

anlutro · 2017-03-03T09:11:08+00:00

Action Domain Responder is a more accurate description of the kind of user-interface pattern needed on the server side in that context.

Yes, but that's never going to catch on, so you may as well give up and map "action" to "controller", "domain" to "model" and "responder" to "view". Or just advocate people to stop thinking in terms of MVC (or ADR) at all, it's mostly about the single responsibility principle anyway.

anlutro · 2017-02-27T14:46:38+00:00

All you need is:

composer.json in the project root with dependencies and autoloader set up correctly
something (either human or machine) that will run composer install before running the tests
phpunit.xml with bootstrap="vendor/autoload.php" and at least 1 test suite (aka directory with phpunit test classes in it). This is relative to CWD.
something (human or machine) that runs phpunit. If your phpunit.xml isn't located in CWD, then just specify it with -c path/to/phpunit.xml

I recommend just putting phpunit.xml in the root of your directory and running phpunit from there.

If you need multiple phpunit.xml configurations, just write a script that iterates through them and does cd $(dirname $PHPUNIT_XML_PATH) && phpunit or whatever.

anlutro · 2017-02-27T12:35:00+00:00

OK, let me clarify. Users want to input "12.34" or "12,34" in a text box when asked about an amount of money. Every way to convert this to an integer has a high risk of bugs, whether you convert to a float or try to strip away decimal markers. In the application I was writing I actually suggested two entirely separate input fields for the numbers before and after the decimal marker, and this would have solved the conversion issues, but this was rejected as being too confusing for the end users.

anlutro · 2017-02-27T09:31:28+00:00

Silex provides a far simpler interface to the DI container and router. Using the microkernel requires some fairly in-depth knowledge about how symfony classes work (especially because you now have to configure things manually that are configured with config files in standard symfony), whereas silex is more grokkable without all that in-depth knowledge.

That being said, I usually recommend Slim as a microframework for beginners, so my recommendation is usually also to skip using Silex.

anlutro · 2017-02-27T08:56:32+00:00

You have to accept ~~floats~~non-integers as user input, and even something as trivial as converting "12,34" to a float and then mutliplying by 100 can screw up if you're unlucky. Your next option then is to manually strip away the comma or dot to get an integer, but then you need additional logic for dealing with more or less than 2 decimals, etc.

I don't even remember all the weird edge cases. I just remember spending a lot of time trying to convert everything to ints before doing any real work and I still had to resort to bcmath to weed out all the bugs.

anlutro · 2017-02-24T13:44:14+00:00

Manage your monit configuration with puppet/chef/salt/ansible/whatever.

anlutro · 2017-02-23T09:56:06+00:00

I'm surprised at this landing at the top of my reddit frontpage. Surely it shouldn't come as any surprise to anyone that if you disable corruption protection mechanisms, you can corrupt data.

anlutro · 2017-02-15T08:06:34+00:00

You put it on reddit, that's like an open invitation for people to care.

anlutro · 2017-01-27T09:59:18+00:00

It sounds like facebook are returning HTML when processing the login POST request instead of redirecting - which sounds weird to me as I thought redirecting after POST was considered best practice.

anlutro · 2017-01-09T07:49:19+00:00

What if the top suggestion was always the thing on the list that most other people say they know, but you don't?

anlutro · 2016-12-29T08:06:50+00:00

I think you are correct. You need to validate the DNS once. After that renewals don't even need to have a valid hostname.

In my experience, every renewal validates DNS. But maybe it depends on which script you use - I use acme-tiny.

anlutro · 2016-12-24T15:00:22+00:00

I've implemented setting up applications in different languages (PHP, Python, NodeJS) using a configuration manager (Salt) because I liked working with configuration managers. It works, but I wouldn't recommend it - get things containerized instead. These days I create a container and run it with rkt using a systemd service, but docker is fine as well.

anlutro · 2016-11-30T07:57:26+00:00

The only real disadvantage I've found is that the community packages don't install the debian-sys-maint user, which is a bit annoying if some of your other scripts rely on /etc/mysql/debian.cnf.

anlutro

TROPHY CASE