The Elgg Community: (SQL Injection & Information Disclosure) OR "Why should we filter the Request-URI!"

http://community.elgg.org/mod/groups/topicposts.php?topic=344895&group_guid=3266

I recently tried to fix an information-disclosure-[security]-issue in my elgg-instance by filtering the offset-parameter.  Impact-Example: http://community.elgg.org/pg/groups/world/?offset=-40

The Problem is that the filtered request-var "offset" is not the variable used by the rendering methods. For Example get_input('offset') in "list_entities" returns the variable from $CONFIG->input (wich is filled by parsed REQUEST_URI-FragmentsI) but not from $_REQUEST.

function get_input($variable, $default = "", $filter_result = true)
    {
        global $CONFIG;

        //1.
        if (isset($CONFIG->input[$variable])) {
            $var = $CONFIG->input[$variable];

            if ($filter_result)
                $var = filter_tags($var);
            return $var;
        }

        //2.
        if (isset($_REQUEST[$variable])) {

            if (is_array($_REQUEST[$variable])) {
                $var = $_REQUEST[$variable];
            } else {
                $var = trim($_REQUEST[$variable]);
            }

            if ($filter_result)
                $var = filter_tags($var);
            return $var;
        }
        return $default;
    }

I think the first problem is the order because if the filtered request-Variable ($_REQUEST) is available why shall I use the one parsed from the server-request-URI ($_SERVER["REQUEST_URI"]). So maybe it could be necessary to change the order of the code-sequences above (1 <=> 2)...waht do you think?  And the second issue is that filtering the Request-Array is senseless if the system uses unfiltered vars got from $_SERVER["REQUEST_URI"].  I think it's absolutly necessary to filter $_SERVER["REQUEST_URI"] by a hook or else because $_SERVER["REQUEST_URI"] is passed through markup as baseurl at several points (in the core), so the unfiltered vars will always find its way to the next request.

Maybe there is something (any structure, hook or else) I haven't seen yet and there is allready a way to control the REQUEST_URI and the Vars parsed from it, but either way I would be glad to discuss this issue with some of you here.

Thank you and best regards

mbi

Georg Westphalen

a former physician specializing in creative concepts, outrageous comics, hilarious character designs and urban philosophy.