While I was fixing bug #4 of Schoorbs, I noticed this part in the JavaScript code of edit_entry.php. It really represents the loss of security in MRBS. Relying on input checking by client-side JavaScript is one of the big mistakes that was done in the dot-com time, but shouldn’t have been done in time of AJAX and more modern technics.
// check that a room(s) has been selected
// this is needed as edit_entry_handler does not check that a room(s)
// has been chosen
if( document.forms["main"].elements['rooms[]‘].selectedIndex == -1 )
{
alert(”{get_vocab text=”you_have_not_selected”}\n{get_vocab text=”valid_room”}”);
return false;
}
For all people who think client-side JavaScript input checking is secure: The input is not checked if your user hasn’t JavaScript enabled. An if someone really wants to do sth. bad, he won’t even use your HTML-Form to send his data to you, he would add it raw to the GET-parameters or the POST-data, because here is not restricted to the fields you give him.
Some MRBS insider would remark the {get_vocab …} statements which aren’t there in MRBS, this is only my Smarty-Replacement for the get_vocab()-PHP-function, I’ve ported this page a time ago to use Smarty as a template and I’m now analyzing the JavaScript code and refresh it with the use of jQuery.
Tags: schoorbs, mrbs, javascript, client-side, input, checking
0 Responses to “Always surprised about MRBS insecurity…”
Leave a Reply