Possible registration Exploit

[WiS3]

I've found out that with the Firefox Addon 'Tamper Data' an user can add/edit the post values for registration. For example, using the current database structure for the users table, if i do not let the user select the Group, by removing it from the form, with Tamper Data i can add it and insert any value. The same goes for every field in the users table.

I'm not using this class for a long time, so maybe there is something i'm missing.

[Matt]

You are correct.

The default registration system seems extremely insecure.  If I understand it correctly, it is mapping html input field names directly to database fields, and that sounds awfully scary.

If that is the case, you need to make sure you do validation on your own. On submission you must check to make sure all required fields exist, because if they don't you can get blank fields that shouldn't be blank (like username and email). But even more importantly is to make sure you aren't getting any extra fields. For example if you had a field in your table for is_admin that defaults to 0, all someone would need to do is modify the registration request params adding is_admin=1 and boom.

I love the idea of this class, but I'm too terrified to use it now without reading through the whole class to see what other security measures I would need to implement on my own.

[Pablo Tejada]

The demo does shows passing the whole POST to the register method which is far from ideal, is justb to keep the demo simple. The class does handles the sanitation of the data been inserted in the DB but does not controls the fields that can be updated. The developer should be responsible of the list of fields been passed to the register and update methods.

--
Project's home page http://ptejada.com/projects/uFlex/
---
You received this message because you are subscribed to the Google Groups "uFlex" group.
To unsubscribe from this group and stop receiving emails from it, send an email to uflex+un...@googlegroups.com.
To post to this group, send email to uf...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/uflex/51def275-c2f5-4985-bc6d-92a84555a803%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Matt]

That makes a lot of sense. Typically when you see examples on how to use a class you'd expect it to be the way it should be used. If you grab the form data yourself and create your own array to pass to the class it all makes a lot more sense to me now, thanks. You might want to put a comment on the examples on the site about that though, I'm sure many people using this class just copy pasted the example to create their project.