[SUCS Devel] SUCS Blog System/Planet
andy at sucs.org
Fri Jan 30 13:03:49 GMT 2015
The inactivity of the system makes it not worth the effort of resolving the security issues, in my opinion.
I say we disable all functionality apart from viewing content, as soon as possible. I.e. Archive it.
Let's not get sentimental over it, if it's not actively used then there is very little point in maintaining it.
Sent from my iPad
> On 30 Jan 2015, at 12:37, Imran Hussain <imranh at sucs.org> wrote:
> So it has come to our attention that the blog system is not very secure, it doesn't sanitise user input properly.
> It tries to use addslashes() where it should be using ADOdbs ability to pass variables as parameters in execute and leaving it to do sanitisation.
> A very quick fix is to just find a replace all instances of addslashes() with pg_escape_string().
> However the code needs to be rewritten to make full use of ADOdb as there is some weirdness going on in some places.
> The work required to make the code nicer isn't worth the effort seeing how little use the system gets. Ripping it out is the way to go.
> n 31.12.2014 01:08, POVER A. (837850) wrote:
>> Archive the content, stick it on SUCS history for 2014 “Dec ?? - Blog
>> Archived” ?
> This would be the way to go, make the blog system purely a bunch of select statements keeping the data in the db.
>> It’s not actively used, like the forum, so I personally see no reason
>> for it to continue to feature on the website.
> Last blog post was 2 years ago this week.
> Imran Hussain
> Devel mailing list
> Devel at lists.sucs.org
More information about the Devel