Highcharts "exploit" and fix
Posted: Wed 26 Mar 2014 9:37 am
Hello everyone,
I'm quite new around here and although I'm here since last month, this is my first post.
Anyway, yesterday I started to upload to my web site this great tool - Highcharts - with the script that is available here.
When I analysed the structure I found a potentially flaw, or better saying, a security risk.
At least in the 2.5 version, when wrong data is sent along the request - within a certain parameter - the script will actually return a warning saying that the key is wrong and will tell you the right one right away!
This is very dangerous especially, and we know that despite is not advised to do that, many people use the same password/key for several services. In that way, anyone with bad intentions could (and will) get your key.
If you are using the same key/password for other services, that services could be compromised also ...
It is very simple to fix this security risk, you just have to find a small portion of code and change it (in my case it was in ImportCumulusFile.php and ImportCumulusRealTime.php):
When you find:
die('Error: Failed security key check:' . $param_key . ' ' . $key);
You should change it to
die('Error: Failed security key check:' . $param_key);
or something else with just a more generic error like (you actually can enter other text at your choose here):
die('Wrong security key');
Probably it will be a good ideia also to the author change the code and re-upload it here so new installations won't be affected by this.
Best regards
I'm quite new around here and although I'm here since last month, this is my first post.
Anyway, yesterday I started to upload to my web site this great tool - Highcharts - with the script that is available here.
When I analysed the structure I found a potentially flaw, or better saying, a security risk.
At least in the 2.5 version, when wrong data is sent along the request - within a certain parameter - the script will actually return a warning saying that the key is wrong and will tell you the right one right away!
This is very dangerous especially, and we know that despite is not advised to do that, many people use the same password/key for several services. In that way, anyone with bad intentions could (and will) get your key.
If you are using the same key/password for other services, that services could be compromised also ...
It is very simple to fix this security risk, you just have to find a small portion of code and change it (in my case it was in ImportCumulusFile.php and ImportCumulusRealTime.php):
When you find:
die('Error: Failed security key check:' . $param_key . ' ' . $key);
You should change it to
die('Error: Failed security key check:' . $param_key);
or something else with just a more generic error like (you actually can enter other text at your choose here):
die('Wrong security key');
Probably it will be a good ideia also to the author change the code and re-upload it here so new installations won't be affected by this.
Best regards