Recently I posted a news article on the CinciClassic site. CinciClassic is based on a PHP content management system called e107, which allows me to add items and manage them with little or no effort. It also features a forum, polls, and a pretty neat plugin system. Overall I’m pretty happy with it, except that it’s coded pretty loosely when it comes to security. At Penguicon 4.0, one of the presenters singled e107 out as having a particularly nasty implementation of cookie security that could easily allow for cross-site scripting. (My jaw literally hit the floor when I saw how the cookie was coded). So I’ve been a little leery of e107 and of PHP (My site was cracked on several occasions by malicious PHP attacks. Those of you who remember the forum may remember one of them). My using a PHP system for my blog took some doing, as I’ve been very cautious around PHP. There’s certain interpretations of how things work that make me wonder why anyone would do what they did in that way. Recently I added a news post in e107 for ECGXpo. I copy/pasted the text from the site, did some tweaking, and posted the article. Minutes later, Chuck (one of the organizers) messages me and says that the admission price is $15, not .00. I look, and see that it’s true, Gee glly willakers, I must’ve hacked the admission price. So sorry, I’ll fix that straightaway. I bring up the editor, and notice that $15.00 is there in the text box. Odd, why is it not displaying? I try again, and it shows up as .00. Then it hits me: It thinks $15 is a variable! Why in the hell is it doing that? I try some experiments, and sure enough, it’s behaving as though it thinks $15 is a displayable variable. Worse, this is data that went to a database and came back. There’s no reason I can think of why it should be interpreted at all. I don’t think Perl would do something like that (although I haven’t tested to ensure that it wouldn’t, but I can’t remember putting in a case for removing that interpretation).
So what gives, PHP folk; why is the value ‘$15′ which is loaded from a database getting interpreted as a variable? How is this even remotely useful for anything other than cracking sites? Is this just another example of loose coding in e107? If it is, how are they getting security so wrong? Enquiring minds want to know.