woda team mailing list archive

Thread
Date

Re: WODA bug

To: "Claudio Rivetti" <claudio.rivetti@xxxxxxxx>
From: Xavier Brochard <xavier@xxxxxxxxxxxxxx>
Date: Thu, 8 Oct 2009 15:10:33 +0200
Cc: woda@xxxxxxxxxxxxxxxxxxx
In-reply-to: <20080426065055.M59891@unipr.it>
Organization: Alternatif
User-agent: KMail/1.12.1 (Linux/2.6.30-2-amd64; KDE/4.3.2; x86_64; ; )

Hello Claudio 

Do you remember this email ?
This bug and some others happened because Ziga has removed part of code from 
the "pro" version to the normal one.
As you know, the bug is located in sub evalTrouble which is called by sub 
evalSafe, called itself by sub wbParseSearch.
The code for evalTrouble has allways been:
# returns '' if ok
sub evalTrouble {
    local ($_) = $_[0];
    return '';
}
As you see, searches never end into troubles!
That is because Ziga has (accidentally ?) permanently hide a piece of the code 
in that sub. Very basicaly, this removed code authorized only some perl 
instructions (white list).
I plan to release the pro files in a week or so - merging versions is not so 
easy.

But in another email you've said
Le mercredi 30 avril 2008 08:57:39, vous avez écrit :
>some times it may be useful to search for a fake field so I think that
>double quoting the string inside the {} is still the best solution. The only
>dirty solution is filtering out the ';' but I don't know how to get around it.

I would like to know about that double quoted string you were talking about? 
or another solution you've found? It could help, because Ziga's solution is 
not so secure if one doesn't setup databases like the "pro" version like them.

best regards
xavier

Le samedi 26 avril 2008 09:02:36, vous avez écrit :
> Hi guys,
> 
> there is a major security issue in woda:
> try searching for: {system("ls")}
> in a woda web sites!
> 
> claudio


Xavier
xavier@xxxxxxxxxxxxxx