Cablegate security vulnerability

By | January 1, 2011

I recently found a security vulnerability on a cablegate site operated by The almost obvious thing to do would have been to leak the vulnerability on wikileaks ;) Responsibility prevailed and I notified the site owner of the vulnerability. The site owner thanked for the notification and fixed the problem. Kudos to for taking security serious and being extremely responsive. In a future post I will explain how an alarmingly high number of other site owners could learn from

The vulnerability

Based on one of the top query terms on cable: Denmark it seems like a reasonable assumption to think the site is written in PHP. With that in mind the crucial code around the form-tag is probably:

<form method='get' action='index.php'>
<input name="search" value="<?php echo $_GET[‘search’];?>" />
<input type=submit name='getdata' value='Søg' />

This code obviously echoes the untreated query string search back to the client. This can be exploited with a carefully crafted URL which escapes the <input> and executes JavaScript. A sample URL testing for this exploit with an alert box:”><script>alert(0)</script> WIthout a real domain name (the site is only available thru the IP address) the value of this vulnerability is probably minimal.

The lack of default input filtering in PHP requires the developer to explicitly filter all data.

$search = filter_input(INPUT_POST | INPUT_GET, 'name', FILTER_SANITIZE_SPECIAL_CHARS);
<form method='get' action='index.php'>
<input name="search" value="%lt;?php echo $search;?>” />
<input type=submit name='getdata' value='Search' />

Turning on default filtering is a better solution. In PHP that is done by adding the following to php.ini:

filter.default = sanitize_special_chars;

This exploit is not unique to PHP. Most other languages lacks default input filtering and the exploit would work similarly in those langauges. The fix would also be similar.

One thought on “Cablegate security vulnerability

  1. Pingback: Keeping Web Users Safe By Sanitizing Input Data - Smashing Magazine

Leave a Reply

Your email address will not be published. Required fields are marked *