Vulnerability Development mailing list archives
Missing string length check in Horde
From: Andrea Parrella <yap () yapsoft it>
Date: Fri, 06 May 2005 20:13:16 +0200
The Horde Framework has several classes for the creation of forms. For example, to create a form with a domain field you just have to create an instance of the Horde_Form class and to call the addVariable() method. $form->addVariable(_("Domain name"), "domain_name", "text", true, false, null, array(\"/^[a-zA-Z0-9\-\.]+$/\", 60, 60)); addVariable() takes as last argument an array which allows to specify some parameters depending on the field type. For the "text" field it takes 3 values: a regular expression to check characters' validity, the dimension of the html textbox and the length of the inserted characters. In the case above, the addVariable() generates: <input type="text" name="domain_name" size="60" value="" id="domain_name" maxlength="60" /> The most interesting thing in those classes is that they allow to validate inputs. In fact, you can call the method validate() which returns false if validation fails. There isn't a check of the length in the text field. In fact notwithstanding maxlenght parameter is 60, if a malicious user tries to insert a longer text (overriding the browser limitation), the form will be validated. The last two parameters are only used to generate HTML tags. This could lead to some security problems. If a developer assumes that the validate() method does the check itself and for examples he passes the string to a program which doesn't perform right bound checking, it could result in a buffer overflow. On Sunday, I got in touch with Horde Team and they added the patch on the cvs: http://cvs.horde.org/diff.php/framework/Form/Form.php?r1=1.322&r2=1.323&ty=u Regards Andrea Parrella http://www.yapsoft.it
Current thread:
- Missing string length check in Horde Andrea Parrella (May 06)