I recently found a security vulnerability on a cablegate site operated by politiken.dk. The almost obvious thing to do would have been to leak the vulnerability on wikileaks Responsibility prevailed and I notified the site owner of the vulnerability. The site owner thanked for the notification and fixed the problem. Kudos to politiken.dk for taking security serious and being extremely responsive. In a future post I will explain how an alarmingly high number of other site owners could learn from politiken.dk.
Based on one of the top query terms on cable: Denmark it seems like a reasonable assumption to think the site is written in PHP. With that in mind the crucial code around the form-tag is probably:
<form method='get' action='index.php'> <input name="search" value="<?php echo $_GET[‘search’];?>" /> <input type=submit name='getdata' value='Søg' /> </form>
The lack of default input filtering in PHP requires the developer to explicitly filter all data.
<?php $search = filter_input(INPUT_POST | INPUT_GET, 'name', FILTER_SANITIZE_SPECIAL_CHARS); ?> <form method='get' action='index.php'> <input name="search" value="%lt;?php echo $search;?>” /> <input type=submit name='getdata' value='Search' /> </form>
Turning on default filtering is a better solution. In PHP that is done by adding the following to php.ini:
filter.default = sanitize_special_chars;
This exploit is not unique to PHP. Most other languages lacks default input filtering and the exploit would work similarly in those langauges. The fix would also be similar.